MoBlock on Ubuntu

1. add moblock package path to /etc/apt/sources.list

deb http://moblock-deb.sourceforge.net/debian hardy main
deb-src http://moblock-deb.sourceforge.net/debian hardy main

2. add the gpg key

gpg --keyserver wwwkeys.eu.pgp.net --recv 9072870B
gpg --export --armor 9072870B | sudo apt-key add -

3. update package lists and install moblock and its front-end gui, mobloquer

sudo apt-get update
sudo apt-get install moblock moblock-control mobloquer

4. choose which blocklists to be loaded
http://tbg.iblocklist.com/Lists/
http://www.bluetack.co.uk/forums/index.php?autocom=faq&CODE=02&qid=17

ads-trackers-and-bad-pr0n.gz #advertising
bogon.gz #bogus IP announcements
dshield.gz #hackers
edu.gz #educational institutions
fornonlancomputers.gz #LAN IP ranges
hijacked.gz #IP blocks that are being used without permission
iana-multicast.gz #http://www.iana.org/assignments/multicast-addresses
iana-private.gz #http://www.iana.org/assignments/ipv4-address-space/
iana-reserved.gz #http://www.iana.org/assignments/ipv4-address-space/
level1.gz #for p2p users
level2.gz #general corporate
level3.gz #paranoid list
Microsoft.gz #Microsoft Corp ranges that are not on Level1
proxy.gz #various proxy servers
rangetest.gz #suspicious IPs
spider.gz #automated programs also known as spiders or bots
spyware.gz #malicious SPYWARE and ADWARE IP Address ranges
templist.gz #sending corrupt or virus p2p data

BusinessISPs.zip should not be loaded because most people are in the ranges.
fornonlancomputers.gz and Bogon.zip must be not selected if there is lan traffic with this host.

5. moblock usage (need root privileges)

moblock-control start - inserts iptables rules and starts MoBlock
moblock-control stop - deletes iptables rules and stops MoBlock
moblock-control restart - restarts MoBlock
moblock-control reload - rebuilds the blocklist and reloads MoBlock
moblock-control update - updates the blocklists and reloads MoBlock
moblock-control status - gives the iptables settings and the status of the MoBlock daemon
moblock-control test - simple test to check if MoBlock is working

6. the use of files in /etc/moblock

blocklists.list #blacklist
allow.p2p #whitelist
guarding.p2p #real ip database which should be blocked built from blocklists.list
moblock.conf #configuration file

7. log location

/var/log/moblock.log #block log
/var/log/moblock-control.log #moblock-control status log

8. you can reconfigure moblock withing reinstalling

sudo dpkg-reconfigure moblock


9. allow port 1863 for msn, 5050 for yahoo, 5190 for icq

vi /etc/moblock/moblock.conf

WHITE_TCP_IN=""
WHITE_UDP_IN=""
WHITE_TCP_OUT="80 443 1863 5050 5190"
WHITE_UDP_OUT=""
WHITE_TCP_FORWARD="80 443 1863 5050 5190"
WHITE_UDP_FORWARD=""

you have to set WHITE_TCP_FORWARD if you want to have same whitelist ports on lan or packets from lan computers will be dropped in moblock_fw chain

Load IPTables rules while booting on Ubuntu

1. make you rules as a script

vi /root/firewall.start

2. make another script to flush all rules and allow all connections

vi /root/firewall.stop
--
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

3. chmod 700 /root/firewall.*

4. load rules

sudo /root/firewall.start


5. use iptables.save to save rules as a formatting file for iptables-restore

sudo sh -c "iptables-save > /etc/iptables.rules"

# restore rules with iptables-restore
# sudo iptables-restore < /etc/iptables.rules


6. to restore configuration on startup, the suggested method is to use ifup.d networking scripts, which are executed on state changes of the network interfaces.

sudo vi /etc/network/if-pre-up.d/iptables

--
#!/bin/sh

# Load iptables rules before interfaces are brought online
# This ensures that we are always protected by the firewall
#
# Note: if bad rules are inadvertently (or purposely) saved it could block
# access to the server except via the serial tty interface.
#

RESTORE=/sbin/iptables-restore
STAT=/usr/bin/stat
IPSTATE=/etc/iptables.rules

test -x $RESTORE || exit 0
test -x $STAT || exit 0

# Check permissions and ownership (rw------- for root)
if test `$STAT --format="%a" $IPSTATE` -ne "600"; then
echo "Permissions for $IPSTATE must be 600 (rw-------)"
exit 0
fi

# Since only the owner can read/write to the file, we can trust that it is
# secure. We need not worry about group permissions since they should be
# zeroed per our previous check; but we must make sure root owns it.
if test `$STAT --format="%u" $IPSTATE` -ne "0"; then
echo "The superuser must have ownership for $IPSTATE (uid 0)"
exit 0
fi

# Now we are ready to restore the tables
$RESTORE < $IPSTATE

7. make the rules safer with permission change and make this script executable

sudo chmod 600 /etc/iptables.rules
sudo chmod +x /etc/network/if-pre-up.d/iptables


Use ulogd to log iptables records into mysql db with web interface, nulog

1. download and install ulogd and ulogd-mysql TESTING rpms from http://rpm.razorsedge.org/centos-5/RE-test/repodata/index.html
2. mysql -u root -p

mysql> create database ulog;

3. vi /etc/ulogd.conf

..
plugin="/usr/lib/ulogd/ulogd_MYSQL.so" #uncomment it for use
..
[MYSQL]
table="ulog"
pass=""
user="root"
db="ulog"
host="localhost"
..

4. download and install NuLog from http://software.inl.fr/trac/trac.cgi/wiki/EdenWall/NuLog

wget http://software.inl.fr/releases/Nulog/nulog-1.2.14.tar.gz
tar zxvf nulog-1.2.14.tar.gz
cd nulog-1.2.14
make install

5. create tables from the script

# the two commands are totally same
cat /root/nulog-1.2.14/scripts/ulogd.mysqldump | mysql -u root -p ulog
mysql -u root -p ulog < /root/nulog-1.2.14/scripts/ulogd.mysqldump

6. /etc/init.d/ulogd start
7. cp /usr/share/edenwall-web/nulog/include/config.template.php /usr/share/edenwall-web/nulog/include/config.php
7. vi /usr/share/edenwall-web/nulog/include/config.php

..
if (!isset($lang))
$lang="en";
..
# database Host
$db_host="localhost";
# database name
$db_ulog="ulog";
# database user
$db_user="root";
# database password
$db_pwd="";
..



* create a password file for basic http authentication
htpasswd -c /var/www/apache.passwd username
* cp nulog_apache.conf /etc/httpd/conf.d/nulog.conf
* vi /etc/httpd/conf.d/nulog.conf

Alias /nulog/ "/usr/share/edenwall-web/nulog/" # path
..
# Authentification
# Create file /path/to/some/file with htpasswd
AuthType Basic
AuthName "Nulog access"
AuthUserFile /var/www/apache.passwd
Require user username


pppoe[pid]: Bad TCP checksum someValue on CentOS

From /var/log/messages
The reason it happens is because you have short circuted the modem to the hub and the pppoe protocol or software have trouble keeping things in sync because of timeouts that were generated by the network collisions. The solution is to seperate the modem network from the home network so no collisions will happen. However, the CLAMPMSS=no could also help since it can reduce overheads and thus lower timeouts (if any)though i didn't check that. other things can help like increasing timeouts, hanging synchronization options but it would be cheaper by time/money to just buy another ethernet card and be done with it.

1. vi /etc/sysconfig/network-scripts/ifcfg-ppp0

..
CLAMPMSS=no
..

2. /sbin/iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Setup NAT server on Linux

1. change the value of ip_forward from 0 to 1

CentOS

echo "1" > /proc/sys/net/ipv4/ip_forward


Ubuntu

sudo vi /etc/sysctl.conf
--
..
net.ipv4.ip_forward=1
..

sudo sysctl -p # load sysctl settings

2. load related modules

/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

3. 192.168.1.1 ~ 192.168.1.254 route through ppp0

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j MASQUERADE

4. if you want the above things done every time you boot the machine, you can add these into /etc/rc.local

Install PeerGuardian Linux on CentOS

1. yum install libnfnetlink-devel
2. download latest libnetfilter_queue from http://www.netfilter.org/projects/libnetfilter_queue/downloads.html
3. tar -jxvf libnetfilter_queue-0.0.13.tar.bz2
4. change to the directory where you extracted the file then execute

./configure
make
make install

5. mv /usr/local/lib/libnetfilter_queue* /usr/lib
6. download MoBlock from http://moblock.berlios.de/
7. tar -jxvf MoBlock-0.8-i586.tar.bz2
8. in the directory where you extracted the files, build MoBlock with:

make
make install

9. mkdir /etc/moblock
10. vi /etc/moblock/lists

# find various blocklist from
# http://www.bluetack.co.uk/forums/index.php?act=dscriptca&CODE=viewcat&cat_id=4
http://www.bluetack.co.uk/config/level1.gz

11. touch /etc/moblock/whitelist
12. vi /etc/init.d/moblock ( edit the WHITE_... variables to whitelist certain ports. )

#!/bin/sh
#
# moblock This shellscript takes care of starting and stopping moblock.
#
# chkconfig: 345 30 70
# description: MoBlock is a application that enables you to block internet \
# traffic based on large lists of ip address ranges in order to \
# protect your privacy.
# processname: moblock
#

ACTIVATE_CHAINS=1
MODE="nfq"
WHITE_TCP_IN=""
WHITE_UDP_IN=""
WHITE_TCP_OUT="21 22 80 110 443"
WHITE_UDP_OUT="123"
WHITE_TCP_FORWARD=""
WHITE_UDP_FORWARD=""

PIDF="/var/run/moblock.pid"
LIST="/etc/moblock/guarding.p2p"
PRG="moblock"
LOG="/var/log/$PRG"
BIN="/usr/bin/$PRG"
CMD="$BIN -p $LIST $LOG >/dev/null &"


# Source function library.
. /etc/rc.d/init.d/functions


fail () {
failure "$2"
echo
[ -n "$1" ] && echo "$1"
}

iptables_init () {
if [ $MODE == "ipq" ]; then
modprobe ip_queue
TARGET="QUEUE"
elif [ $MODE == "nfq" ]; then
modprobe ipt_NFQUEUE
TARGET="NFQUEUE"
fi;
modprobe ipt_state
iptables -N MOBLOCK_IN
iptables -N MOBLOCK_OUT
iptables -N MOBLOCK_FW
if [ $ACTIVATE_CHAINS -eq 1 ]; then
iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN
iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW
fi;
iptables -I MOBLOCK_IN -p all -j $TARGET
iptables -I MOBLOCK_OUT -p all -j $TARGET
iptables -I MOBLOCK_FW -p all -j $TARGET

for PORT in $WHITE_TCP_OUT; do
iptables -I MOBLOCK_OUT -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_OUT; do
iptables -I MOBLOCK_OUT -p udp --dport $PORT -j ACCEPT
done

for PORT in $WHITE_TCP_IN; do
iptables -I MOBLOCK_IN -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_IN; do
iptables -I MOBLOCK_IN -p udp --dport $PORT -j ACCEPT
done

for PORT in $WHITE_TCP_FORWARD; do
iptables -I MOBLOCK_FW -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_FORWARD; do
iptables -I MOBLOCK_FW -p udp --dport $PORT -j ACCEPT
done

# Loopback traffic fix
iptables -I INPUT -p all -i lo -j ACCEPT
iptables -I OUTPUT -p all -o lo -j ACCEPT
}

iptables_reset () {
if [ $ACTIVATE_CHAINS -eq 1 ]; then
iptables -D INPUT -p all -m state --state NEW -j MOBLOCK_IN
iptables -D OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
iptables -D FORWARD -p all -m state --state NEW -j MOBLOCK_FW
fi;
iptables -D INPUT -p all -i lo -j ACCEPT
iptables -D OUTPUT -p all -o lo -j ACCEPT
iptables -F MOBLOCK_IN
iptables -X MOBLOCK_IN
iptables -F MOBLOCK_OUT
iptables -X MOBLOCK_OUT
iptables -F MOBLOCK_FW
iptables -X MOBLOCK_FW
}

start () {
echo -n $"Starting MoBlock: "
if ! [ -x $BIN ]; then
fail "Can't execute $BIN" "$PRG startup"
return 1
fi;
if ! [ -f $LIST ]; then
fail "Can't find $LIST" "$PRG startup"
return 1
fi;
if [ -f $PIDF ]; then
PID=`cat $PIDF`
if ps -p $PID >/dev/null; then
fail "$PIDF exists and $PRG is running." "$PRG startup"
return 1
fi;
fi;
iptables_init
daemon "$CMD"
RETVAL=$?
echo
return $RETVAL
}

stop () {
echo -n $"Stopping MoBlock: "
killproc -p "$PIDF" "$PRG"
RETVAL=$?
echo
if ! pidof "$PRG"; then
iptables_reset 2>/dev/null 1>&2
fi;
return $RETVAL
}

case "$1" in
start)
start
;;
stop)
stop
;;
reload)
if [ -f $PIDF ]; then
kill -HUP `cat $PIDF`
RETVAL=$?
fi
;;
restart)
stop
start
RETVAL=$?
;;
condrestart)
# restart only if already running
if [ -f $PIDF ]; then
stop
start
RETVAL=$?
fi
;;
status)
status $PRG
RETVAL=$?
;;
top)
if [ -f $PIDF ]; then
a=""
for i in `pidof $PRG`; do
a="$a -p $i"
done
top $a
fi
;;
*)
echo $"Usage: $0 {start|stop|reload|restart|condrestart|status|top}"
exit 1
esac

exit $RETVAL

13. chmod +x /etc/init.d/moblock
14. vi /etc/cron.daily/moblock

#!/bin/bash

LURLS="/etc/moblock/lists"
WLIST="/etc/moblock/whitelist"
LIST="/etc/moblock/guarding.p2p"

CACHE="/var/spool/moblock/cache"
FMD5=".md5sum"
DLDIR="dl"

RELOADCMD="/sbin/service moblock reload"

acat () {
while read -r -d $'\0' fn; do
if [ "$(head -c 2 "$fn")" = $'\x1f\x8b' ]; then
gunzip -c "$fn"
elif [ "$(head -c 4 "$fn")" = $'\x50\x4b\x03\x04' ]; then
unzip -p "$fn"
else
cat "$fn"
fi
done
}

download () {
MD5SUM=`md5sum "$LURLS" | cut -c -32`
if [ -f "./$FMD5" ]; then
if [ `cat "$FMD5"` != $MD5SUM ]; then
# The list source file has changed.
# Clean the dl directory.
rm "./$DLDIR"/*
fi;
elif [ `ls -A . | wc -l` -gt 0 ]; then
# There's no md5 file, but the directory is not empty.
# Something's wrong, bail out.
echo "$(pwd) is not empty." >/dev/stderr
exit 1
fi;
echo $MD5SUM >"./$FMD5"
wget -nv -N -t 3 -w 1 -T 120 -P "./$DLDIR" -i "$LURLS"
}

reload () {
find "./$DLDIR" -type f -print0 | acat | dos2unix | nice uniq | \
(nice grep -a -v -f "$WLIST" 2>/dev/null || cat) >"$LIST"
$RELOADCMD
}

if ! [ -f "$LURLS" ]; then
echo "Can't find $LURLS" >/dev/stderr
exit 1
fi;
mkdir -p "$CACHE"
pushd "$CACHE" >/dev/null || exit 1
case "$1" in
reload | nodownload)
reload
;;
'' | download)
download
reload
;;
*)
echo $"Usage: $0 [reload]"
exit 1
esac
popd >/dev/null

15. chmod +x /etc/cron.daily/moblock
16. before you can start the MoBlock service, you need to download the lists first

/etc/cron.daily/moblock

17. make MoBlock to start on boot

/sbin/chkconfig --add moblock

18. to control the MoBlock service, use service moblock command, where command is one of the following:
* start – start MoBlock.
* stop – stop MoBlock.
* reload – reload the blocklist, reset the stats and reopen the log file.
* restart – restart MoBlock. Note that this will start MoBlock even if it was not already running.
* condrestart – restart MoBlock if it is already running.
* status – show whether MoBlock is running or not.
* top – show MoBlock's CPU usage, memory usage, etc.

Add firewall rules for aMule in order to get a HighID on CentOS

1. Insert iptables rules:

/sbin/iptables -I RH-Firewall-1-INPUT -p tcp --dport 4662 -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -p udp --dport 4665 -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -p udp --dport 4672 -j ACCEPT

2. Get the rules saved to /etc/sysconfig/iptables using iptables-save

/sbin/service iptables save

3. Restart iptables

/etc/init.d/iptables restart