MoBlock is a linux console application that blocks connections from/to hosts listed in a file in peerguardian format (guarding.p2p and p2p.p2b) or ipfilter.dat files.
MoBlock project uses iptables ipqueue userspace library and it is very light in resource usage.
Requirements:
iptables and kernel support for connection and state tracking (ip_conntrack,ipt_state) and ip_queue or ipt_NFQUEUE kernel modules/built-in.
At least kernel 2.6.14 is required to use the NFQUEUE interface (the default interface from MoBlock version 0.6) and userspace library:
libnfnetlink 0.0.14
libnetfilter_queue 0.0.11
These are the kernel modules i have with MoBlock running on 2.6.9-ac6:
iptable_filter 2016 1
ipt_state 1312 4
ip_conntrack 37716 1 ipt_state
ip_tables 14496 2 iptable_filter,ipt_state
ip_queue 7608 0
...and these with kernel 2.6.15 using new NFQUEUE interface:
nfnetlink_queue 9280 1
nfnetlink 4824 2 nfnetlink_queue
ipt_NFQUEUE 1408 2
ipt_state 1472 0
ip_conntrack 40044 1 ipt_state
iptable_filter 2176 1
ip_tables 17600 3 ipt_NFQUEUE,ipt_state,iptable_filter
2) A valid guarding.p2p/ipfilter.dat/p2p.p2b host file in /etc ( /etc/guarding.p2p ). MoBlock tries to skip malformed or duplicate ranges but if it founds something unexpected it segfaults.
Update: Thanks to Andrew de Quincey patch MoBlock now uses regular expressions to load guarding.p2p files so this should not be a problem anymore for these lists. In my tests i used lists from http://methlabs.org
3) Minimum iptables knowledge (or trust my start script). MoBlock filter only packets that are QUEUEd with iptables. So it's up to you to choose what traffic you want to be filtered. For example if you want MoBlock to filter all the new TCP connections that are initiated from your box using NFQUEUE kernel interface:
iptables -A OUTPUT -p tcp -m state --state NEW -j NFQUEUE
A simple start script (MoBlock.sh) is provided that makes MoBlock filter all new incoming and outgoing connections, both for tcp and udp.
Warning: many block lists include the loopback address so you can have strange troubles accessing localhost services. I added in the start script explicit rules to accept localhost-to-locahost connections.
** VERY IMPORTANT WARNING!! **
When a packet hits a NFQUEUE/QUEUE rule it will be accepted or dropped by MoBlock (well it is what you want right? :P ) so it will NOT be checked by other rules that may follow in the chain!
Installation & Usage:
Just untar somwhere.
To build MoBlock from sources just do "make" in untar directory.
The static version was compiled on Slackware 10.2 with gcc 3.4.5, if you don't want to install the libnetfilter libraries try it,just rename it to "MoBlock".
To start it just launch MoBlock.sh as root, for example:
./MoBlock.sh &
By default it will load the block list from /etc/guarding.p2p and will log its activity to ./MoBlock.log, you can edit MoBlock.sh if you want to change them. For example if you want to use new p2p.pdb files change this line into the start script:
./MoBlock /etc/guarding.p2p MoBlock.log
into this:
./MoBlock -n /etc/p2p.p2b MoBlock.log
or if you want to use ipfilter.dat files:
./MoBlock -d /etc/ipfilter.dat MoBlock.log
To stop it:
kill -TERM < MoBlockPid >
While shutting down it will dump some stats to /var/log/MoBlock.stats To obtain stats about blocked ranges while it's running:
kill -USR1 < MoBlockPid > # write stats to logfile
kill -USR2 < MoBlockPid > # write stats to /var/log/MoBlock.stats
** NEW: to reload the blocklist while MoBlock is running send to it the HUP signal:
kill -HUP < MoBlockPid > # reloads blocklist and resets stats
What's New in This Release:
· Support for NFQUEUE-ing from iptables FORWARD chain was added.
· Log file rotation and creation of a pid file are now supported.
· Fixes were made. Files for Debian packaging were added.
· A new start script that supports port whitelisting was added.
