2007年7月12日 星期四

Install PeerGuardian Linux on CentOS

1. yum install libnfnetlink-devel
2. download latest libnetfilter_queue from http://www.netfilter.org/projects/libnetfilter_queue/downloads.html
3. tar -jxvf libnetfilter_queue-0.0.13.tar.bz2
4. change to the directory where you extracted the file then execute

./configure
make
make install

5. mv /usr/local/lib/libnetfilter_queue* /usr/lib
6. download MoBlock from http://moblock.berlios.de/
7. tar -jxvf MoBlock-0.8-i586.tar.bz2
8. in the directory where you extracted the files, build MoBlock with:

make
make install

9. mkdir /etc/moblock
10. vi /etc/moblock/lists

# find various blocklist from
# http://www.bluetack.co.uk/forums/index.php?act=dscriptca&CODE=viewcat&cat_id=4
http://www.bluetack.co.uk/config/level1.gz

11. touch /etc/moblock/whitelist
12. vi /etc/init.d/moblock ( edit the WHITE_... variables to whitelist certain ports. )

#!/bin/sh
#
# moblock This shellscript takes care of starting and stopping moblock.
#
# chkconfig: 345 30 70
# description: MoBlock is a application that enables you to block internet \
# traffic based on large lists of ip address ranges in order to \
# protect your privacy.
# processname: moblock
#

ACTIVATE_CHAINS=1
MODE="nfq"
WHITE_TCP_IN=""
WHITE_UDP_IN=""
WHITE_TCP_OUT="21 22 80 110 443"
WHITE_UDP_OUT="123"
WHITE_TCP_FORWARD=""
WHITE_UDP_FORWARD=""

PIDF="/var/run/moblock.pid"
LIST="/etc/moblock/guarding.p2p"
PRG="moblock"
LOG="/var/log/$PRG"
BIN="/usr/bin/$PRG"
CMD="$BIN -p $LIST $LOG >/dev/null &"


# Source function library.
. /etc/rc.d/init.d/functions


fail () {
failure "$2"
echo
[ -n "$1" ] && echo "$1"
}

iptables_init () {
if [ $MODE == "ipq" ]; then
modprobe ip_queue
TARGET="QUEUE"
elif [ $MODE == "nfq" ]; then
modprobe ipt_NFQUEUE
TARGET="NFQUEUE"
fi;
modprobe ipt_state
iptables -N MOBLOCK_IN
iptables -N MOBLOCK_OUT
iptables -N MOBLOCK_FW
if [ $ACTIVATE_CHAINS -eq 1 ]; then
iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN
iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW
fi;
iptables -I MOBLOCK_IN -p all -j $TARGET
iptables -I MOBLOCK_OUT -p all -j $TARGET
iptables -I MOBLOCK_FW -p all -j $TARGET

for PORT in $WHITE_TCP_OUT; do
iptables -I MOBLOCK_OUT -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_OUT; do
iptables -I MOBLOCK_OUT -p udp --dport $PORT -j ACCEPT
done

for PORT in $WHITE_TCP_IN; do
iptables -I MOBLOCK_IN -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_IN; do
iptables -I MOBLOCK_IN -p udp --dport $PORT -j ACCEPT
done

for PORT in $WHITE_TCP_FORWARD; do
iptables -I MOBLOCK_FW -p tcp --dport $PORT -j ACCEPT
done
for PORT in $WHITE_UDP_FORWARD; do
iptables -I MOBLOCK_FW -p udp --dport $PORT -j ACCEPT
done

# Loopback traffic fix
iptables -I INPUT -p all -i lo -j ACCEPT
iptables -I OUTPUT -p all -o lo -j ACCEPT
}

iptables_reset () {
if [ $ACTIVATE_CHAINS -eq 1 ]; then
iptables -D INPUT -p all -m state --state NEW -j MOBLOCK_IN
iptables -D OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
iptables -D FORWARD -p all -m state --state NEW -j MOBLOCK_FW
fi;
iptables -D INPUT -p all -i lo -j ACCEPT
iptables -D OUTPUT -p all -o lo -j ACCEPT
iptables -F MOBLOCK_IN
iptables -X MOBLOCK_IN
iptables -F MOBLOCK_OUT
iptables -X MOBLOCK_OUT
iptables -F MOBLOCK_FW
iptables -X MOBLOCK_FW
}

start () {
echo -n $"Starting MoBlock: "
if ! [ -x $BIN ]; then
fail "Can't execute $BIN" "$PRG startup"
return 1
fi;
if ! [ -f $LIST ]; then
fail "Can't find $LIST" "$PRG startup"
return 1
fi;
if [ -f $PIDF ]; then
PID=`cat $PIDF`
if ps -p $PID >/dev/null; then
fail "$PIDF exists and $PRG is running." "$PRG startup"
return 1
fi;
fi;
iptables_init
daemon "$CMD"
RETVAL=$?
echo
return $RETVAL
}

stop () {
echo -n $"Stopping MoBlock: "
killproc -p "$PIDF" "$PRG"
RETVAL=$?
echo
if ! pidof "$PRG"; then
iptables_reset 2>/dev/null 1>&2
fi;
return $RETVAL
}

case "$1" in
start)
start
;;
stop)
stop
;;
reload)
if [ -f $PIDF ]; then
kill -HUP `cat $PIDF`
RETVAL=$?
fi
;;
restart)
stop
start
RETVAL=$?
;;
condrestart)
# restart only if already running
if [ -f $PIDF ]; then
stop
start
RETVAL=$?
fi
;;
status)
status $PRG
RETVAL=$?
;;
top)
if [ -f $PIDF ]; then
a=""
for i in `pidof $PRG`; do
a="$a -p $i"
done
top $a
fi
;;
*)
echo $"Usage: $0 {start|stop|reload|restart|condrestart|status|top}"
exit 1
esac

exit $RETVAL

13. chmod +x /etc/init.d/moblock
14. vi /etc/cron.daily/moblock

#!/bin/bash

LURLS="/etc/moblock/lists"
WLIST="/etc/moblock/whitelist"
LIST="/etc/moblock/guarding.p2p"

CACHE="/var/spool/moblock/cache"
FMD5=".md5sum"
DLDIR="dl"

RELOADCMD="/sbin/service moblock reload"

acat () {
while read -r -d $'\0' fn; do
if [ "$(head -c 2 "$fn")" = $'\x1f\x8b' ]; then
gunzip -c "$fn"
elif [ "$(head -c 4 "$fn")" = $'\x50\x4b\x03\x04' ]; then
unzip -p "$fn"
else
cat "$fn"
fi
done
}

download () {
MD5SUM=`md5sum "$LURLS" | cut -c -32`
if [ -f "./$FMD5" ]; then
if [ `cat "$FMD5"` != $MD5SUM ]; then
# The list source file has changed.
# Clean the dl directory.
rm "./$DLDIR"/*
fi;
elif [ `ls -A . | wc -l` -gt 0 ]; then
# There's no md5 file, but the directory is not empty.
# Something's wrong, bail out.
echo "$(pwd) is not empty." >/dev/stderr
exit 1
fi;
echo $MD5SUM >"./$FMD5"
wget -nv -N -t 3 -w 1 -T 120 -P "./$DLDIR" -i "$LURLS"
}

reload () {
find "./$DLDIR" -type f -print0 | acat | dos2unix | nice uniq | \
(nice grep -a -v -f "$WLIST" 2>/dev/null || cat) >"$LIST"
$RELOADCMD
}

if ! [ -f "$LURLS" ]; then
echo "Can't find $LURLS" >/dev/stderr
exit 1
fi;
mkdir -p "$CACHE"
pushd "$CACHE" >/dev/null || exit 1
case "$1" in
reload | nodownload)
reload
;;
'' | download)
download
reload
;;
*)
echo $"Usage: $0 [reload]"
exit 1
esac
popd >/dev/null

15. chmod +x /etc/cron.daily/moblock
16. before you can start the MoBlock service, you need to download the lists first

/etc/cron.daily/moblock

17. make MoBlock to start on boot

/sbin/chkconfig --add moblock

18. to control the MoBlock service, use service moblock command, where command is one of the following:
* start – start MoBlock.
* stop – stop MoBlock.
* reload – reload the blocklist, reset the stats and reopen the log file.
* restart – restart MoBlock. Note that this will start MoBlock even if it was not already running.
* condrestart – restart MoBlock if it is already running.
* status – show whether MoBlock is running or not.
* top – show MoBlock's CPU usage, memory usage, etc.

沒有留言: