General MoBlock thread

**jre** · April 13th, 2010

Yes. PeerGuardian Linux (pgl) is based on nfblock (moblock
clone) and blockcontrol and has many improvements and fixes. If you want to try it you can get it from the git development repository:
https://sourceforge.net/projects/peerguardian/develop

You can install it e.g. with

Code:

# Install git, fakeroot and build-dependencies:
sudo aptitude install git-core fakeroot debhelper libqt4-dev
po-debconf zlib1g-dev libnetfilter-queue-dev libnfnetlink-dev
libdbus-1-dev
# Get the development repository
git clone git://peerguardian.git.sourceforge.net/gitroot/peerguardian/peerguardian
# Change to the source directory
cd peerguardian/pgl/
# Build the packages
dpkg-buildpackage -uc -us -tc -rfakeroot
# Install packages
sudo dpkg -i ../pgl*.deb

Oh, for releasing I only have to update the documetnation and fix the Debian packaging (nearly done).
That answer was even faster

I like copy&paste.

**jre** · April 13th, 2010

The real replacement will just occur when we have a GUI. Work on that was started, but is stalled currently. So I can't tell what will happen ....

**lovinglinux** · April 13th, 2010

Originally Posted by jre

Yes. PeerGuardian Linux (pgl) is based on nfblock (moblock
clone) and blockcontrol and has many improvements and fixes. If you want to try it you can get it from the git development repository:
https://sourceforge.net/projects/peerguardian/develop

You can install it e.g. with

Code:

# Install git, fakeroot and build-dependencies:
sudo aptitude install git-core fakeroot debhelper libqt4-dev
po-debconf zlib1g-dev libnetfilter-queue-dev libnfnetlink-dev
libdbus-1-dev
# Get the development repository
git clone git://peerguardian.git.sourceforge.net/gitroot/peerguardian/peerguardian
# Change to the source directory
cd peerguardian/pgl/
# Build the packages
dpkg-buildpackage -uc -us -tc -rfakeroot
# Install packages
sudo dpkg -i ../pgl*.deb

Oh, for releasing I only have to update the documetnation and fix the Debian packaging (nearly done).
That answer was even faster

I like copy&paste.

Thanks. I'm definitely going to try it. I hope it keeps the nice features provided by moblock. For instance, I use moblock as iptables manager, not only for blocking peers.

Do I need to remove moblock first? How do I revert the changes made by the above instructions?

**jre** · April 13th, 2010

you need to uninstall moblock/....
then the new packages will be pgld, pgld-dbg and pglcmd
Most important for you the iptables chains have new names. the filenames changed of course, too. But I think both is already documented.
Besides that you can replace all "blockcontrol OPTION" commands with "pglcmd OPTION"

**dealcorn** · April 25th, 2010

I am trying to obtain jaunty clarification of the Howto comment that most kernels do not permit whitelist traffic per application. My goal is to block transmission from a specific site but permit deluge. After blacklisting the site it appears that iptables-custom-insert.sh would permit me to either whitelist the application deluge or whitelist the site, but it would not permit a whitelist based on the requirement that both conditions be met. My initial read of the chain rule-specification of man iptables suggests that it is not helpful. Am I correct and is there an alternate approach?

**jre** · April 26th, 2010

You can freely combine all iptables options. So the combination of whitelisting a site for a special application is possible.

If your system (kernel/netfilter/iptables) doesn't support the cmd-owner module, you may use other modules instead - I guess the uid-owner module (solution 3) is supported by every system.

Here are a few possible solutions (not tested!):

Use the pid-owner module (the first line first makes sure that deluge is running, and then inserts the whitelisting rule for deluge's pid which is inserted automatically by $(pidof deluge). So you need to restart blockcontrol after starting deluge.)
Code:
```
pidof deluge > /dev/null && \
iptables -I blockcontrol_out -m owner --pid-owner $(pidof deluge) -d [IP] -j RETURN
```

Use the cmd-owner module

Code:

iptables -I blockcontrol_out -m owner --cmd-owner deluge -d [IP] -j RETURN

Run deluge from a separate user and use the uid-owner module

Code:

iptables -I blockcontrol_out -m owner --uid-owner [deluge-user] -d [IP] -j RETURN

**dealcorn** · April 27th, 2010

After I was unable to get application specific whitelist option 1 or 2 above to work, I simplified by blacklisting a local google site (64.233.189.104) and retried with the google site address, also to fail. Then I got rid of iptables-custom-insert.sh and edited /blockcontrol.conf to whitelist the site and verified that it appeared correct in Mobloquer only to again discover that the whitelist failed. I did stop, rebuild and start MoBlock appropriately. I use firestarter to blacklist my problem site. Do the MoBlock whitelist features require that the blacklist come from a list rather than iptables? If so, is there a technique to put a blacklst site into a list format that may be imported? My last blocklist control status follows:

Code:

:~$ sudo blockcontrol status
[sudo] password for dea: 
Current IPv4 iptables rules (this may take a while):

Chain INPUT (policy DROP 4 packets, 5752 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  640 28112 blockcontrol_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW mark match !0x14 
    0     0 ACCEPT     tcp  --  *      *       192.168.0.1          0.0.0.0/0           tcp flags:!0x17/0x02 
    4   596 ACCEPT     udp  --  *      *       192.168.0.1          0.0.0.0/0           
19394 4442K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  121 15058 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 
    0     0 DROP       all  --  *      *       224.0.0.0/8          0.0.0.0/0           
    5   140 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/8         
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0             
   23  1020 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 LSI        all  -f  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 
43584   24M INBOUND    all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input' 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 blockcontrol_fw  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW mark match !0x14 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 
    0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward' 

Chain OUTPUT (policy DROP 6 packets, 240 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2396  210K blockcontrol_out  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW mark match !0x14 
    0     0 ACCEPT     tcp  --  *      *       192.168.0.102        192.168.0.1         tcp dpt:53 
    4   257 ACCEPT     udp  --  *      *       192.168.0.102        192.168.0.1         udp dpt:53 
19394 4442K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       224.0.0.0/8          0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/8         
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0             
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
53936   45M OUTBOUND   all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Output' 

Chain INBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination         
42201   23M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 1382  234K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    1    75 LSI        all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG_FILTER (5 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain LSI (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    75 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    1    75 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
    1    75 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LSO (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2    88 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    2    88 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound ' 
    2    88 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
51112   45M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  215 26112 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    2    88 LSO        all  --  *      *       0.0.0.0/0            64.233.189.104      
 2607  267K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain blockcontrol_fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0xa 
    0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.1         
    0     0 RETURN     all  --  *      *       192.168.0.0/24       192.168.0.0/24      
    0     0 RETURN     all  --  *      *       0.0.0.0/0            64.233.189.104      
    0     0 RETURN     all  --  *      *       64.233.189.104       0.0.0.0/0           
    0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 92

Chain blockcontrol_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0xa 
  637 28028 RETURN     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    3    84 RETURN     all  --  *      *       192.168.0.0/24       0.0.0.0/0           
    0     0 RETURN     all  --  *      *       64.233.189.104       0.0.0.0/0           
    0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 92

Chain blockcontrol_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  224 24878 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0xa reject-with icmp-port-unreachable 
  637 28028 RETURN     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    2   127 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.1         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/24      
    0     0 RETURN     all  --  *      *       0.0.0.0/0            64.233.189.104      
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
   19   836 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
 1514  156K NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 92

Please check if the above printed iptables rules are correct!

 * moblock is running
PID: 24547    CMD: /usr/bin/moblock -p /var/lib/blockcontrol/guarding.p2p -q 92 -t -r 10 -a 20 /var/log/moblock.log

 * blockcontrol.wd is running
PID: 24552    CMD: /bin/sh /usr/bin/blockcontrol.wd

**jre** · May 6th, 2010

First off, every configuration change requires a "blockcontrol restart"! But at least in your "blockcontrol status" everything seems fine. There you have whitelisted/allowed 64.233.189.104 in every direction for moblock. So moblock will never block this IP. Instead you reject this IP with firestarter for outgoing connections (chains OUTBOUND and LSO).

Just for clarification (I#m a bit at a loss to understand what you really want):
whitelisting:
moblock will not block this IP, even if it is in one of the blocklists. Note that e.g. firestarter still may block this IP, even if moblock does not block it. This can be achieved

with the WHITE_IP_IN, WHITE_IP_OUT and WHITE_IP_FORWARD entries in blockcontrol.conf
an iptables rule in iptables-custom-insert.sh with the target RETURN

blacklisting:
two ways to understand this:

Generally block traffic to/from an IP. This can be achieved by
- Using e.g. firestarter
- an iptables rule with the target REJECT or DROP
add an IP to moblock's blocklist. (I think this is the answer to your last questions):
1. Create a file /etc/blockcontrol/custom-blocklist.p2p and add a line like
  Code:
```
Google:64.233.189.104-64.233.189.104
```
2. then add this line to blockcontrol.conf:
  Code:
```
locallist /etc/blockcontrol/custom-blocklist.p2p
```

Feel free to ask again. I'm not sure whether this answer helped.

**chinaski** · June 8th, 2010

Lately moblock (last version on 10.04-32) blocks lots of connection most of which outgoing, and this happens since few days despite no p2p software is running.

I rebooted the router and got new public IP several times, but since last time I shut aMule down few days ago moblock is still blocking connection.

Here's a small portion of moblock.log

Tue Jun 8 13:39:58| OUT: Valencia University,hits: 3,DST: 147.156.27.234
Tue Jun 8 13:39:58| OUT: Vodafone Ireland Limited,hits: 54,DST: 93.107.7.186
Tue Jun 8 13:40:05| OUT: Vodafone Ireland Limited,hits: 55,DST: 93.107.7.186
Tue Jun 8 13:40:07| OUT: Vodafone Ireland Limited,hits: 56,DST: 93.107.7.186
Tue Jun 8 13:40:11| OUT: Vodafone Ireland Limited,hits: 57,DST: 93.107.7.186
Tue Jun 8 13:40:32| OUT: Vodafone Ireland Limited,hits: 58,DST: 93.107.7.186
Tue Jun 8 13:40:34| OUT: Vodafone Ireland Limited,hits: 59,DST: 93.107.7.186
Tue Jun 8 13:40:38| OUT: Vodafone Ireland Limited,hits: 60,DST: 93.107.7.186
Tue Jun 8 13:41:49| OUT: Vodafone Omnitel N.V,hits: 6,DST: 93.147.74.54
Tue Jun 8 13:41:49| OUT: TeliaSonera AB,hits: 1,DST: 213.66.160.14
Tue Jun 8 13:41:49| OUT: University of Lancaster,hits: 1,DST: 148.88.181.173
Tue Jun 8 13:41:51| OUT: Vodafone Omnitel N.V,hits: 7,DST: 93.147.74.54
Tue Jun 8 13:41:51| OUT: TeliaSonera AB,hits: 2,DST: 213.66.160.14
Tue Jun 8 13:41:51| OUT: University of Lancaster,hits: 2,DST: 148.88.181.173
Tue Jun 8 13:41:55| OUT: Vodafone Omnitel N.V,hits: 8,DST: 93.147.74.54
Tue Jun 8 13:41:55| OUT: TeliaSonera AB,hits: 3,DST: 213.66.160.14
Tue Jun 8 13:41:55| OUT: University of Lancaster,hits: 3,DST: 148.88.181.173
Tue Jun 8 13:45:38| OUT: University of Lancaster,hits: 4,DST: 148.88.181.173
Tue Jun 8 13:45:40| OUT: University of Lancaster,hits: 5,DST: 148.88.181.173
Tue Jun 8 13:45:44| OUT: University of Lancaster,hits: 6,DST: 148.88.181.173
Tue Jun 8 13:50:19| OUT: I.Net S.p.A., Vodafone Omnitel N.V,hits: 28,DST: 213.92.110.188
Tue Jun 8 13:50:20| OUT: Early registrations SURFnet bv,hits: 61,DST: 145.116.233.143
Tue Jun 8 13:50:21| OUT: I.Net S.p.A., Vodafone Omnitel N.V,hits: 29,DST: 213.92.110.188
Tue Jun 8 13:50:22| OUT: Early registrations SURFnet bv,hits: 62,DST: 145.116.233.143
Tue Jun 8 13:50:26| OUT: I.Net S.p.A., Vodafone Omnitel N.V,hits: 30,DST: 213.92.110.188
Tue Jun 8 13:50:26| OUT: Early registrations SURFnet bv,hits: 63,DST: 145.116.233.143
Tue Jun 8 13:50:45| OUT: Vodafone Ireland Limited,hits: 61,DST: 93.107.7.186
Tue Jun 8 13:50:47| OUT: Vodafone Ireland Limited,hits: 62,DST: 93.107.7.186
Tue Jun 8 13:50:51| OUT: Vodafone Ireland Limited,hits: 63,DST: 93.107.7.186
Tue Jun 8 13:53:50| OUT: Bogon,hits: 1,DST: 42.242.39.203
Tue Jun 8 13:53:50| OUT: Bogon,hits: 2,DST: 42.242.39.203
Tue Jun 8 14:01:44| OUT: Early registrations SURFnet bv,hits: 64,DST: 145.116.233.143
Tue Jun 8 14:01:46| OUT: Early registrations SURFnet bv,hits: 65,DST: 145.116.233.143
Tue Jun 8 14:01:50| OUT: Early registrations SURFnet bv,hits: 66,DST: 145.116.233.143
Tue Jun 8 14:04:29| OUT: I.Net S.p.A., Vodafone Omnitel N.V,hits: 31,DST: 213.92.110.188
Tue Jun 8 14:04:30| OUT: Vodafone Ireland Limited,hits: 64,DST: 93.107.7.186
Tue Jun 8 14:04:31| OUT: I.Net S.p.A., Vodafone Omnitel N.V,hits: 32,DST: 213.92.110.188
Tue Jun 8 14:04:32| OUT: Vodafone Ireland Limited,hits: 65,DST: 93.107.7.186
Tue Jun 8 14:04:35| OUT: I.Net S.p.A., Vodafone Omnitel N.V,hits: 33,DST: 213.92.110.188
Tue Jun 8 14:04:35| OUT: Vodafone Ireland Limited,hits: 66,DST: 93.107.7.186

1) is this normal? in my experience with moblock I used to change public IP by rebooting the router every time I turned p2p software off, and no IN/OUT connection whatsoever

2) what is it on my machine that is trying to connect to those hosts? I run rkhunter and chkrootkit and nothing was found

On this machine I usually run Firefox, Skype, Rhythmbox with all plugin disabled, and OpenOffice, which are all open now and that's all.

???

**jre** · June 8th, 2010

I wouldn't worry about that.
Since they are outgoing connections a new IP from your router can`t help here.
To investigate further you can check the ports of the blocked packets: For moblock check this link or just install pgl (no GUI yet) instead of moblock and have a look at /var/log/pgl/pgld.log

You can also use a packet sniffer (wireshark) to analyze the traffic.

Thread: General MoBlock thread

Thread Tools

Display

Re: General MoBlock thread

Re: General MoBlock thread

Re: General MoBlock thread

Re: General MoBlock thread

Re: General MoBlock thread

Re: General MoBlock thread

Re: General MoBlock thread

Re: General MoBlock thread

Re: General MoBlock thread

Re: General MoBlock thread

Bookmarks

Bookmarks

Posting Permissions