Page 3 of 65 FirstFirst 123451353 ... LastLast
Results 21 to 30 of 650

Thread: General MoBlock thread

  1. #21
    Join Date
    May 2008
    Beans
    26
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: General MoBlock thread

    Sadly, moblock-control restart didn't make any difference.

    Here is the output of moblock-control status:

    Code:
    $ sudo moblock-control status
    Current iptables rules (this may take awhile):
    
    Chain INPUT (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     tcp  --  *      *       192.168.0.1          0.0.0.0/0           tcp flags:!0x17/0x02 
       14  1729 ACCEPT     udp  --  *      *       192.168.0.1          0.0.0.0/0           
        1   576 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 
        0     0 DROP       all  --  wlan0  *       0.0.0.0/0            255.255.255.255     
        0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.0.255       
        0     0 DROP       all  --  *      *       224.0.0.0/8          0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/8         
        0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0             
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
        0     0 LSI        all  -f  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 
     1595 1011K INBOUND    all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
        0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input' 
        0     0 moblock_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 
        0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward' 
        0     0 moblock_fw  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    
    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     tcp  --  *      *       192.168.0.2          192.168.0.1         tcp dpt:53 
       14   887 ACCEPT     udp  --  *      *       192.168.0.2          192.168.0.1         udp dpt:53 
        0     0 DROP       all  --  *      *       224.0.0.0/8          0.0.0.0/0           
       15  1964 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/8         
        0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0             
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
     1649  201K OUTBOUND   all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           
        0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Output' 
        0     0 moblock_out  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    
    Chain INBOUND (1 references)
     pkts bytes target     prot opt in     out     source               destination         
     1592 1011K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        3   144 LSI        all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain LOG_FILTER (5 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       221.195.56.54        0.0.0.0/0           
        0     0 DROP       all  --  *      *       83.100.226.60        0.0.0.0/0           
    
    Chain LSI (2 references)
     pkts bytes target     prot opt in     out     source               destination         
        3   144 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
        3   144 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
        3   144 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 
        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
        0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain LSO (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound ' 
        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
    
    Chain OUTBOUND (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
     1463  193K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
      186  8312 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain moblock_fw (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 0
    
    Chain moblock_in (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 0
    
    Chain moblock_out (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 0
    
    Please check if the above printed iptables rules are correct!
    
     * moblock is running, pid is 6321.
    Possibly by uninstalling firestarter might solve the problem.
    Specs: AMD Sempron 3000 1.8GHz x86 64-bit
    http://catb.org/~esr/faqs/smart-questions.html

  2. #22
    Join Date
    Jan 2007
    Beans
    772

    Re: General MoBlock thread

    The moblock_in etc. rules should be placed at the head of the INPUT etc. chains (not at the bottom as in your case).
    This will be the case directly after "moblock-control restart". Did you execute this command before the "status" command? Were there any messages? What's in /var/log/moblock-control.log?
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  3. #23
    Join Date
    May 2008
    Beans
    26
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: General MoBlock thread

    Oddly enough, after a system restart and uninstalling Firestarter, Moblock now works. However, I don't know why. The output of "status" was after restarting Moblock, and I don't recall there being any messages, though I might have forgotten.

    The output of the log, before the restart was

    Code:
    Got SIGTERM! Dumping stats and exiting.
    Duplicated range ( Bogo )
    Ranges loaded: 242165
    Merged ranges: 0
    Skipped useless ranges: 0
    NFQUEUE: binding to queue '0'
    Now the output is the same, except with adresses blocked.

    Here is the current output of the status command:

    Code:
    Current iptables rules (this may take awhile):
    
    Chain INPUT (policy ACCEPT 1437 packets, 1341K bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
       24 22874 moblock_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 moblock_fw  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    
    Chain OUTPUT (policy ACCEPT 1217 packets, 147K bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
       97  5850 moblock_out  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    
    Chain moblock_fw (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/24      
        0     0 RETURN     all  --  *      *       192.168.0.0/24       0.0.0.0/0           
        0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 0
    
    Chain moblock_in (1 references)
     pkts bytes target     prot opt in     out     source               destination         
       19 22173 RETURN     all  --  *      *       192.168.0.0/24       0.0.0.0/0           
        5   701 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 0
    
    Chain moblock_out (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 RETURN     all  --  *      *       0.0.0.0/0            66.114.0.0/16       
        0     0 RETURN     all  --  *      *       0.0.0.0/0            194.109.137.218     
        0     0 RETURN     all  --  *      *       0.0.0.0/0            66.150.0.0/16       
        0     0 RETURN     all  --  *      *       0.0.0.0/0            130.57.0.0/16       
        0     0 RETURN     all  --  *      *       0.0.0.0/0            69.31.0.0/16        
        0     0 RETURN     all  --  *      *       0.0.0.0/0            207.46.0.0/16       
        0     0 RETURN     all  --  *      *       0.0.0.0/0            64.4.0.0/16         
        0     0 RETURN     all  --  *      *       0.0.0.0/0            65.55.0.0/16        
        0     0 RETURN     all  --  *      *       0.0.0.0/0            65.54.0.0/16        
       12   750 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/24      
       85  5100 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 0
    
    Please check if the above printed iptables rules are correct!
    
     * moblock is running, pid is 6233.
    The moblock_in rules are still at the bottom of the INPUT etc. chains, but certain IPs are still being blocked. I assume that there must be another cause.
    Specs: AMD Sempron 3000 1.8GHz x86 64-bit
    http://catb.org/~esr/faqs/smart-questions.html

  4. #24
    Join Date
    Jan 2007
    Beans
    772

    Re: General MoBlock thread

    So what I meant to say is:
    Every rule in the INPUT chain that is before moblock_in will be processed before the packets get to MoBlock.
    You have the targets ACCEPT, DROP and other chains. Other chains themselves do the same: they ACCEPT, DROP or send packets back to INPUT. So we only need to look at ACCEPT and DROP:

    If a packet will be DROPped anyway it doesn't matter if it is checked by MoBlock.
    But if it gets ACCEPTed it will leave any further iptables processing, so it will not be checked by MoBlock.

    Therefore you have to make sure that ACCEPT rules are only before MoBlock if they accept traffic that is not intended to be checked by MoBlock.

    This is the INPUT chain you posted first:
    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     tcp  --  *      *       192.168.0.1          0.0.0.0/0           tcp flags:!0x17/0x02 
       14  1729 ACCEPT     udp  --  *      *       192.168.0.1          0.0.0.0/0           
        1   576 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 
        0     0 DROP       all  --  wlan0  *       0.0.0.0/0            255.255.255.255     
        0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.0.255       
        0     0 DROP       all  --  *      *       224.0.0.0/8          0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/8         
        0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0             
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
        0     0 LSI        all  -f  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 
     1595 1011K INBOUND    all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
        0     0 LOG_FILTER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input' 
        0     0 moblock_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW
    As you see there are many rules which ACCEPT traffic or send traffic to chains which contain an ACCEPT before your moblock_in. moblock_in should be the first or second rule in this chain.

    The case in your second post is better:
    Code:
    Chain INPUT (policy ACCEPT 1437 packets, 1341K bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
       24 22874 moblock_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW
    One rule is before MoBlock and this rule simply accepts all traffic on the loopback device, which is ok.

    So this was the long version of what I meant to say with "the moblock_in rule has to be at the head of the chain and not at the bottom".

    Notes:
    Since Moblock 0.9 with the MARKing feature traffic that is accepted by MoBlock is not ACCEPTed (in the sense that it will leave the iptables processing) but "marked accepted" which means that it will be processed by the other iptables rules.
    (To be correct: the packets repeat the whole chain/hook function).
    Up to MoBlock 0.8 traffic was ACCEPTed, this is the reason why 0.8 did not work with firestarter.

    The above said is of course valid for OUTPUT and FORWARD, too.
    jre
    Last edited by jre; May 30th, 2008 at 08:49 PM.
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  5. #25
    Join Date
    May 2008
    Beans
    26
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: General MoBlock thread

    Great, I now understand what you meant, and how the second post is better.

    Thanks a lot for your explanation, and also for Moblock, its a great program!
    Specs: AMD Sempron 3000 1.8GHz x86 64-bit
    http://catb.org/~esr/faqs/smart-questions.html

  6. #26
    Join Date
    May 2008
    Beans
    7

    Re: General MoBlock thread

    Quote Originally Posted by jre View Post
    @ alonecity:
    I need answers to these questions, too:


    Is 192.168.200.0/24 your LAN (in doubt post the output of sudo ifconfig)? If not, then you should whitelist your LAN.
    jre:
    I don't have any web browsing at all. 192.168.200.xxx is indeed my lan

    Code:
    eth0      Link encap:Ethernet  HWaddr 00:14:22:54:4e:6b  
              inet addr:192.168.200.101  Bcast:192.168.200.255  Mask:255.255.255.0
              inet6 addr: fe80::214:22ff:fe54:4e6b/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:31932 errors:0 dropped:0 overruns:0 frame:0
              TX packets:19232 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:44011705 (41.9 MB)  TX bytes:1664221 (1.5 MB)
              Interrupt:18 Base address:0xa000
    Thank you

    Edit: put the right tags.
    Last edited by alonecity; June 1st, 2008 at 12:36 PM.

  7. #27
    Join Date
    Jan 2007
    Beans
    772

    Re: General MoBlock thread

    I had a closer look at your iptables rules now. (Note: Please put them in CODE tags, it's a pain to read them this way).

    Now I saw that you use IPList/IPBlock and MoBlock at the same time - don't do this, just use one of both, they have the same functionality.

    There are two occassions where they conflict:

    - They both bind to NFQUEUE, although IPList does not use the default QUEUE number (0) there still might occur problems.

    - They both mark packets. I'm not sure if these MARKs are additional or replace each other.

    I've just added a Conflict: iplist to the moblock package so that apt will refuse to install both at the same time.

    jre
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

  8. #28
    Join Date
    May 2008
    Beans
    7

    Re: General MoBlock thread

    Thanks jre. I thought I had uninstalled IPlist properly but I went through an uninstall/reinstall/uninstall of IPlist and uninstal/reinstall for Moblock and it seems to be working now.

  9. #29
    Join Date
    Nov 2004
    Beans
    102

    Re: General MoBlock thread

    Hi

    Hope you can help - am not a linux expert and know little about firewalls etc but here goes - hope you can help

    Ok - i know i am doing something wrong here - situation so far is:

    1) installed moblock through synaptic - following the instructions on the Ubuntu docs page am using ubuntu 8.04

    I know this from the readme:
    In the default configuration MoBlock starts at system boot and some preconfigured blocklists are updated once a day. You can specify the blocklists to use in /etc/moblock/blocklists.list. Everything else (automatic start and update, iptables handling, IP and port whitelisting) is configured in /etc/moblock/moblock.conf. This is important especially if MoBlock blocks sites that it should not block.

    2) So i edited the /etc/default/moblock file to include this WHITE_TCP_OUT="http https" and then restart moblock

    BUT it still seems to block everything

    Can anyone tell me what i need to do to get browsing and ftp to work whilst still running moblock? I tried mobloquer which is a GUI but even using that it doesn't unblock stuff - very odd

    does this help?

    sudo moblock-control status
    Current iptables rules (this may take awhile):

    Chain INPUT (policy ACCEPT 3382 packets, 764K bytes)
    pkts bytes target prot opt in out source destination
    0 0 moblock_in all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x14

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xa
    0 0 moblock_fw all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x14

    Chain OUTPUT (policy ACCEPT 3376 packets, 299K bytes)
    pkts bytes target prot opt in out source destination
    0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xa reject-with icmp-port-unreachable
    0 0 moblock_out all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x14

    Chain moblock_fw (1 references)
    pkts bytes target prot opt in out source destination
    0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0

    Chain moblock_in (1 references)
    pkts bytes target prot opt in out source destination
    0 0 RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0

    Chain moblock_out (1 references)
    pkts bytes target prot opt in out source destination
    0 0 RETURN all -- * lo 0.0.0.0/0 0.0.0.0/0
    0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0

    I have firestarter installed but am totally confused as to whether the firewall works all the time or only when i start the Firestarter GUI

    hope you can help

    many thanks

    doc

  10. #30
    Join Date
    Jan 2007
    Beans
    772

    Re: General MoBlock thread

    I guess you need to whitelist your LAN, including your router, too. If you don't know your local IP check it with "sudo ifconfig". It's the value after "inet addr:" of the interface that you use for networking. For wired connections that might be "eth0", for wireless connections "wlan0".

    Example: You found out that your IP is 192.168.0.39. Then your LAN will most probably cover the IP range 192.168.0.1-192.168.0.255. Then whitelist this range with the following lines in /etc/default/moblock:
    Code:
    WHITE_IP_IN="192.168.0.0/24"
    WHITE_IP_OUT="192.168.0.0/24"
    After editing and a "moblock-control restart" you should be fine. Of course you can also do this with mobloquer.

    firestarter is not a firewall itself but it just sets up the Linux firewall: iptables. All your iptables rules do belong to moblock, so there is no conflict.

    Thanks for posting your iptables rules, that saved me some questions.

    Greets
    jre
    Please post your logfiles and output of commands wrapped in code tags:
    Code:
    [code]output[/code]
    Co-author of PeerGuardian Linux (pgl). Maintainer of the pgl package repositories for Debian and Ubuntu.

Page 3 of 65 FirstFirst 123451353 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •