MoBlock is deprecated. It's official successor is PeerGuardian Linux (pgl). It is highly recommended to use pgl instead of MoBlock. You'll find the contents of this page and more on the official wiki of the peerguardian project].

Therefore I will not maintain this page any more. jre, pgl developer

MoBlock is an application that enables you to block internet traffic based on large lists of IP address ranges in order to protect your privacy. It uses a file in PeerGuardian format (guarding.p2p) or an ipfilter.dat.

The new PeerGuardian Linux is the official successor and based on the MoBlock fork NFBlock, blockcontrol and mobloquer. The usage is nearly identical, just type "pglcmd" instead of "blockcontrol". The configuration files are in /etc/pgl/.

You may also try iplist by uljanow.

Note: Since version 0.9 RC1 MoBlock no longer conflicts with other firewalls. But you have to make sure that MoBlock is started after them and the iptables rules don't get changed later. Also consider that routers can make software firewalls on your computer redundant.

Packages for pgl are available for

  • Ubuntu 12.10 ("Quantal Quetzal")
  • Ubuntu 12.04 ("Precise Pangolin")
  • Ubuntu 11.10 ("Oneiric Ocelot")
  • Ubuntu 11.04 ("Natty Narwhal")
  • Ubuntu 10.04 ("Lucid Lynx")

Moblock packages are automatically transitioned to pgl on these distributions.

Packages for moblock, blockcontrol and mobloquer are also available for:

  • Ubuntu 8.04 ("Hardy Heron")

Install the packages

Add the ppa to your system's Software Sources

All current Ubuntu versions starting with Ubuntu 10.04 ("Lucid Lynx")

  • sudo add-apt-repository ppa:jre-phoenix/ppa

Ubuntu 8.04 ("Hardy Heron")

Add the sources

You have to add the repository sources. So edit /etc/apt/sources.list:

  • gksu gedit /etc/apt/sources.list

In Kubuntu, replace gksu with kdesu.

And add these two lines:

  • deb http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu hardy main
    deb-src http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu hardy main

Add the gpg key to the apt keyring

Type the following in terminal:

  • gpg --keyserver keyserver.ubuntu.com --recv 9C0042C8
    gpg --export --armor 9C0042C8 | sudo apt-key add -

All Ubuntu distributions

If your package manager complains about missing dependencies (libnetfilter-queue and libnfnetlink), you need to add the "universe" section entry to /etc/apt/sources.list (replace YOURDIST with e.g. lucid or maverick):

  • deb http://archive.ubuntu.com YOURDIST main universe

Update your system's Software Sources

Run this command (on command line) to update the list of available packages:

  • sudo apt-get update

Install the packages

You can still install the packages "moblock", "blockcontrol" and "mobloquer". To use the new PeerGuardian Linux follow all instructions on this page, but install the packages "pgld", "pglcmd" and "pgl-gui" instead.

Use the instructions at the InstallingSoftware page under Installing downloaded packages

Compile a package

If you want to make your own MoBlock binary package from source and install it, you can use the following instructions. Most users will not need to compile a package, but this can be used for unsupported architectures or for an older release (you may also have to compile netfilter lib packages).

First, make sure you have added a source repository for your release. Then, run the following in terminal.

  • mkdir ~/moblock-deb-packages
    cd ~/moblock-deb-packages
    
    sudo apt-get update
    sudo apt-get install fakeroot
    sudo apt-get build-dep -y moblock blockcontrol mobloquer
    
    apt-get source moblock blockcontrol mobloquer
    
    cd ~/moblock-deb-packages/moblock-0.9~rc2
    dpkg-buildpackage -uc -us -tc -rfakeroot
    sudo dpkg -i ~/moblock-deb-packages/moblock_0.9~rc2-*.deb
    
    cd ~/moblock-deb-packages/blockcontrol-1.3
    dpkg-buildpackage -uc -us -tc -rfakeroot
    sudo dpkg -i ~/moblock-deb-packages/blockcontrol_*_all.deb
    
    cd ~/moblock-deb-packages/mobloquer-0.6
    dpkg-buildpackage -uc -us -tc -rfakeroot
    sudo dpkg -i ~/moblock-deb-packages/mobloquer_*.deb
    
    sudo apt-get install -f

Some of these commands can be combined into one, but this lets you make changes like adding a patch if necessary and explains the process better.

Explanation: in your home directory the directory moblock-deb-packages is created. Then the current working directory is changed to it. The development dependencies of the packages moblock, blockcontrol and mobloquer are then installed. Then the three source packages are downloaded. For the three packages one after the other the current working directory is changed to the source directory, the source and binary packages are built and the package is installed. As a last step eventually missing dependencies are installed.

Configuration and Usage

blockcontrol features include:

  • start and stop MoBlock (including handling of the iptables rules if desired)

  • update the specified blocklists from online sources
  • use local blocklists
  • modify the blocklist and whitelist IPs and ports

The logfiles are rotated daily.

In the default configuration MoBlock starts at system boot and some preconfigured blocklists are updated once a day. You can specify the blocklists to use in /etc/blockcontrol/blocklists.list. Everything else (automatic start and update, iptables handling, IP and port whitelisting) is configured in /etc/blockcontrol/blockcontrol.conf. This is important especially if MoBlock blocks sites that it should not block. A list of all available configuration options is in /usr/lib/blockcontrol/blockcontrol.defaults (Don't edit the latter file, but put your changes in /etc/blockcontrol/blockcontrol.conf.)

Start MoBlock

  • sudo blockcontrol start

Stop MoBlock

  • sudo blockcontrol stop

Restart MoBlock

  • sudo blockcontrol restart

Rebuild Blocklist

  • sudo blockcontrol reload

Moblock is then reloaded.

Update Blocklists

  • sudo blockcontrol update

Moblock is then reloaded.

MoBlock Status

  • sudo blockcontrol status

It receives the iptables settings and the status of the MoBlock daemon.

Test MoBlock

  • sudo blockcontrol test

The test has been known to have problems in older versions of MoBlock. Look at the log to check if you are unsure. This can be done interactively (this command will show you the log in real-time).

  • tail -f /var/log/moblock.log

Search in the blocklists

  • sudo blockcontrol search PATTERN

Search for a pattern in your blocklists. This helps you to find out, which blocklist is responsible for a certain block.

Note: If you don't need a GUI you should use the new PeerGuardian Linux (it's by the same authors). The usage is nearly identical, just type "pglcmd" instead of "blockcontrol". The configuration files are in /etc/pgl/.

Frequently Asked Questions (FAQ)

I cannot connect to the internet any more!

MoBlock may block your complete LAN, including your router, gateway and/or DNS server. Normally this traffic is whitelisted automatically as long as you keep the default setting WHITE_LOCAL="1". But if you have problems follow these instructions:

You have to whitelist your LAN. If you don't know your local IP check it with "sudo ip addr". It's the value after "inet" of the interface that you use for networking. For wired connections this might be "eth0", for wireless connections "wlan0".

Example: You found out that your IP is 192.168.0.39. Then your LAN will most probably cover the IP range 192.168.0.1-192.168.0.255. Then you need to whitelist this range for incoming and outgoing connections.

Edit /etc/blockcontrol/blockcontrol.conf (in Kubuntu, replace gksu with kdesu)

  • gksu gedit /etc/blockcontrol/blockcontrol.conf

and add these lines:

  • WHITE_IP_IN="192.168.0.0/24"
    WHITE_IP_OUT="192.168.0.0/24"

Do a

  • blockcontrol restart

when you have changed these settings.

Some applications cannot connect to the internet any more!

There are several possibilities to solve your problems:

  1. Use less or other blocklists
  2. Whitelist IPs
  3. Whitelist ports
  4. Advanced whitelisting

For each possibility you can learn how to do it in another question here on the page. But now, which is the best solution for you?

Generally you should first decide on the correct set of blocklists. The default setting is quite paranoid, so you may choose less blocklists.

Now, if you need to allow (whitelist) certain traffic, it depends on the application that has problems: If the application only needs to connect to one or a few servers, with fixed IPs, then you should whitelist IPs. There are also some allow lists (e.g. for some games) e.g. on iblocklist.com.

But if you want to connect to many other computers, where you don't know the IP, or where the IPs may be even changing frequently, then you should do port whitelisting. Per default moblock whitelists the outgoing http (80) and https (443) ports, in order to allow an easier websurfing. Keep in mind that malicious hosts may abuse these ports for their own purposes.

MoBlock closed the port for my torrent client. How do I open it again?

Don't do that! Why did you install MoBlock? Probably to check your torrent client's traffic. Right!? So you must not open that port. Otherwise you could just uninstall Moblock, the effect would be nearly the same.

MoBlock does not close ports. It checks all traffic for certain IPs. So on the same port some traffic from good IPs is allowed, and some from bad IPs is blocked. So you could just ignore the "closed port" warning.

What happens on your side is, that your torrent client tells an testhost to try to connect to you. Now, probably this testhost is in the blocklist, so it gets blocked. This does not necessarily imply that this testhost is evil, because MoBlock from moblock-deb.sourceforge.net has quite a paranoid default blocklist setup.

Solution 1:Only choose those blocklists that you really want to use.

Solution 2: Check the logfile in mobloquer when you do the port check in azureus. Some IP should get blocked then. Just allow this IP.

How do I find out which IP or port was blocked?

To learn, what gets blocked I recommend that you use mobloquer. There you see live every blocked IP and you can whitelist it directly.

Or you follow the logfile live

  • tail -f /var/log/moblock.log

There you can see which IP gets blocked.

You can even get more information about what is being blocked. First you need to set in /etc/blockcontrol/blockcontrol.conf

  • LOG_IPTABLES="LOG --log-level info"

and do a

  • sudo blockcontrol restart

Then you can issue

  • sudo tail -f /var/log/syslog

Now you can see live the IP, the port, and protocol of blocked packets. Further you can see whether it is an incoming or outgoing connection. With this information you can do the whitelisting that is described in other questions here.

How do I choose what blocklists to use?

To find out which blocklist is responsible for a blocked packet, have a look at the DESCRIPTION of the blocked packet in /var/log/moblock.log and then issue

  • blockcontrol search DESCRIPTION

This will give you the name of the blocklist.

You can learn more about available blocklists in /usr/share/doc/blockcontrol/README.blocklists.gz or on http://iblocklist.com/.

When you have decided which blocklists you want to use you edit /etc/blockcontrol/blocklists.list

  • gksu gedit /etc/blockcontrol/blocklists.list

In Kubuntu, replace gksu with kdesu.

Uncomment the blocklists, that is, remove the hash (#) to enable certain blocklists or comment them out by adding a hash before the blocklists to disable them.

Do a

  • sudo blockcontrol reload

when you have changed these settings.

How can I allow (whitelist) traffic on certain ports?

If the IP address that your application is trying to reach is in the blocklist, it will be blocked. But you can allow traffic for specific ports. The ports 80 (http) and 443 (https) are whitelisted by default. To allow traffic also on other ports edit /etc/blockcontrol/blockcontrol.conf (in Kubuntu, replace gksu with kdesu)

  • gksu gedit /etc/blockcontrol/blockcontrol.conf

and add/edit this line:

  • WHITE_TCP_OUT="http https"

Do a

  • blockcontrol restart

when you have changed these settings.

See? By default port 80 and 443 (also called http and https) is configured, for outgoing connections. In effect, you can browse blocked IPs, with firefox/konqueror or any other browser. If you have an application, that connects to many different IPs, then this is the place to allow traffic for it. If you want to put a range of ports, use the format "startport:endport".

List of port numbers at wikipedia.

Do not add the privacy needing application's port here (for most people this will be torrent and other P2P tools)! It's the point of MoBlock to check their traffic. Keep the list small, to get a better protection.

How can I allow (whitelist) traffic to certain IPs?

Find out what you want to whitelist by checking /var/log/moblock.log. This can be done interactively (this command will show you the log in real-time).

  • tail -f /var/log/moblock.log

There are 3 different ways:

1. Whitelist an IP range in allow.p2p

This is also the correct place for allow lists!

Edit /etc/blockcontrol/allow.p2p (in Kubuntu, replace gksu with kdesu)

  • gksu gedit /etc/blockcontrol/allow.p2p

If you want to whitelist the IP range "192.168.178.1 - 192.168.178.255 and the IP 123.123.123.123 add this:

  • 192.168.178.1-192.168.178.255
    123.123.123.123-123.123.123.123

Do a

  • sudo blockcontrol restart

when you have changed these settings.

2. Whitelist an IP

Edit /etc/blockcontrol/blockcontrol.conf (in Kubuntu, replace gksu with kdesu)

  • gksu gedit /etc/blockcontrol/blockcontrol.conf

To whitelist IPs add the following variables:

  • WHITE_IP_IN=""
    WHITE_IP_OUT=""
    WHITE_IP_FORWARD=""

Insert e.g. "192.168.178.1" to whitelist a single IP, or e.g. "192.168.178.0/24" to whitelist an IP range (192.168.178.0 - 192.168.178.255) or e.g. "192.168.0.0/16" to whitelist a bigger IP range (192.168.0.0 - 192.168.255.255)

Separate IP addresses with a whitespace. So you might have an entry like this:

  • WHITE_IP_IN="192.168.0.0/24"
    WHITE_IP_OUT="192.168.0.0/24 123.123.123.123 234.234.234.234"

Do a

  • sudo blockcontrol restart

when you have changed these settings.

Alternatively you might use mobloquer for adding IPs to these variables.

Use a search phrase

You can also use a search phrase, such as Google, Hotmail, or an actual IP address range (as specified in the blocklists). Add the following variable to /etc/blockcontrol/blockcontrol.conf:

  • IP_REMOVE=""

Separate phrases with a semicolon. So you might have an entry like this:

  • IP_REMOVE="google;yahoo;altavista"
    Do a
    sudo blockcontrol reload

when you have changed these settings.

How can I allow (whitelist) traffic for a combination of IPs, ports, or applications?

This is advanced stuff, and you won't find a complete answer here, sorry!

You can specify your own iptables rules in /etc/blockcontrol/iptables-custom-insert.sh. So you can whitelist any combination of ports, IPs, and (if your kernel supports it) traffic that originates from certain users or applications. Please note that most kernels do not support to whitelist traffic per application. This is a concept from the MS Windows world, and not very widespread in the Linux world.

The file /usr/share/doc/blockcontrol/examples/iptables-custom-insert.sh yields some examples.

Some services (avahi, webmin, ftpd, sshd, ...) on my MoBlock machine aren't available to other machines any more!

Allow all traffic to the port that the service is listening on for INCOMING connections

Edit /etc/blockcontrol/blockcontrol.conf (in Kubuntu, replace gksu with kdesu)

  • gksu gedit /etc/blockcontrol/blockcontrol.conf

E.g. for ssh allow all incoming traffic on port 22

  • WHITE_TCP_IN="22"

If you only want to connect from certain hosts with specific IPs, you can allow all traffic from them by using the WHITE_IP_IN variable or /etc/blockcontrol/allow.p2p.

Is it possible to specify a network interface where moblock operates on

You can allow (whitelist) traffic on all other interfaces.

Add to /etc/blockcontrol/iptables-custom-insert.sh:

  • iptables -I INPUT -i [DEVICENAME] -j RETURN
    iptables -I OUTPUT -o [DEVICENAME] -j RETURN
    iptables -I FORWARD -i [DEVICENAME] -j RETURN
    iptables -I FORWARD -o [DEVICENAME] -j RETURN

And to /etc/blockcontrol/iptables-custom-remove.sh:

  • iptables -D INPUT -i [DEVICENAME] -j RETURN
    iptables -D OUTPUT -o [DEVICENAME] -j RETURN
    iptables -D FORWARD -i [DEVICENAME] -j RETURN
    iptables -D FORWARD -o [DEVICENAME] -j RETURN

Replace [DEVICENAME] with the device name, e.g. eth0. Please have a look at man iptables to understand that stuff.

My internet is slow since I installed MoBlock!

Indeed MoBlock blocks quite much traffic: That's its purpose, but it can be a pain, too. In default installations outgoing traffic is REJECTED, if it is blocked by MoBlock. This makes sure that the sending application is notified immediately that its traffic was blocked (in contrast to DROPped packets, where no notification is sent, so that the application waits quite long and then gives up). So verify via

  • sudo blockcontrol show_config

if you have these settings:

  • REJECT="1"
    REJECT_OUT="REJECT"

You also might reduce the number of used blocklists, and allow traffic to certain IPs or ports. Have a look at the previous questions to learn how.

How do I keep it installed, without having it run at startup?

Edit /etc/blockcontrol/blockcontrol.conf:

  • gksu gedit /etc/blockcontrol/blockcontrol.conf

In Kubuntu, replace gksu with kdesu.

Set the following:

  • INIT="0"

What happens when I install MoBlock the first time?

First you will be prompted to configure MoBlock via some so called "debconf" questions. Then it will download some blocklists for you during installation (be patient, this may take a while), and start it as a daemon.

Now it will start automatically everytime you boot up and make a daily update of the blocklists - unless you configure blockcontrol otherwise.

I tried to install MoBlock but I'm stuck on a screen with a Moblock warning

This is a so called "debconf" question. Read the text and confirm by pressing "OK". If your debconf interface doesn't support your mouse, then you have to use your keyboard: hit the "TAB" key until "OK" is highlighted and then press "RETURN".

You may also do a "sudo dpkg-reconfigure debconf" and select "Gnome" as your interface. Then you can use your mouse for debconf questions.

I have a custom compiled kernel. Moblock does not work.

MoBlock depends on netfilter support in the kernel. There are two possibilities:

Netfilter support as kernel modules (recommended): Enable netfilter support in xconfig, or in the kernel source config file as modules.

Netfilter support built-in directly in the kernel: Enable netfilter support in xconfig, or in the kernel source config file.

blockcontrol will then make sure that the netfilter support is available to MoBlock.

How do I change automatic updating?

MoBlock automatically updates its blocklists everyday. To configure automatic updating, edit //etc/blockcontrol/blockcontrol.conf:

  • gksu gedit /etc/blockcontrol/blockcontrol.conf

The number in the following setting enables (1) or disables (2) automatic updating.

  • CRON="1"

To disable automatic updating, set the following.

  • CRON="0"

MoBlock fails to start or stop

Have a look at /var/log/blockcontrol.log and /var/log/moblock.log. In most cases an incorrect configuration option is the reason. If you don't understand the logfiles post them in the forum (please do this in CODE tags). If you think you messed thinks up you can make a clean reinstall:

  • apt-get purge moblock blockcontrol mobloquer
    apt-get install moblock blockcontrol mobloquer

Credits

Special thanks to pelle.k for the Ubuntu Forums thread this is derived from, the MoBlock Debian Packages maintainer jre, and the contributors to MoBlock.

Further Reading


CategoryInternet CategoryNetworking

MoBlock (last edited 2012-11-21 23:37:43 by frbg-5f730cc9)