View unanswered posts    View active topics

All times are UTC - 6 hours





Post new topic Reply to topic  [ 13 posts ] 
Print view Previous topic   Next topic  
Author Message
Search for:
PostPosted: Sat Oct 04, 2008 5:27 pm 
Offline
Joined: Wed Dec 10, 2003 8:31 pm
Posts: 1996
Location: /dev/null
Image

HOWTO Covers: Installation of Moblock on R5.5.

Background Material: MoBlock, like PeerGuardian, blocks internet traffic based on large lists of IP address ranges in order to protect your privacy. The thought is that the blocklists contain IP ranges of hostile people/organizations who could potentially harm you, snoop your PC, log what you're up/downloading, etc.

You can select the level of protection offered by Moblock though your choice of blocklists. Moblock will compile as many as you want into a single file that it uses along with IPtables. It also have a very small memory/CPU footprint.

In order to get this to work on R5.5, you'll need to recompile your kernel with some netfilter support that wasn't selected in the original R5.5 kernel. It's easy, don't worry.

:!: As the topic suggests, these instructions are for R5.5. Do not follow them verbatim on any other release of KM!

Table of Contents:
Section 1. Recompile the needed support into your kernel
Section 2. Install Moblock
Section 3. Appendix - optional - Instructions to configure your kernel if you don't wanna download my pre-made .config
Section 4. References

As always, commands that are preceded by the $ prompt are done by the user (i.e. mythtv) and those preceded by the # prompt are done by root.

:arrow: Part 1. Recompile the needed support into your kernel
First get the kernel-source:

Code:
$ wget ftp://knoppmyth.net/R5/linux-source-2.6.23-chw-4_2.6.23-chw-4-10.00.Custom_all.deb


Untar the source and copy over the R5.5 kernel's out-of-the-box configuration:

Code:
# dpkg -i linux-source-2.6.23-chw-4_2.6.23-chw-4-10.00.Custom_all.deb ; cd /usr/src ; tar xjvf linux-source-2.6.23-chw-4.tar.bz2 ; cd linux-source-2.6.23-chw-4 ; cp /boot/config-2.6.23-chw-4 .config


In case something unforeseen goes wrong, let's backup and setup your current kernel as a backup option for you to boot into, just to be safe. I recommend that you do NOT skip this step.

Code:
# cp /boot/vmlinuz-2.6.23-chw-4 /boot/backup ; cp /boot/initrd.gz /boot/backup.gz


Edit /etc/lilo.conf using your fav text editor (nano or vim for example). Look for the line that reads: "default=Linux"

Insert the following under it:

Code:
image=/boot/backup
        label=Backup
        initrd=/boot/backup.gz
        read-only


If something goes horribly wrong with our new kernel, when LILO loads, you can hit the down arrow until you highlight "Backup" and boot into your system to fix it :)

Now we'll compile the kernel with the correct options for moblock to work. The easy way for you to do this is to download my pre-configured .config file (by clicking here) which contains the needed settings. Rename the file to ".config" and place it in your /usr/src/linux-source-2.6.23-chw-4

Alternatively, manually make the file by following the step-by-step guide located in Section 3 of this post (scroll to the end of the doc).

Do the following:

Code:
# cd /usr/src ; rm linux ; ln -s linux-source-2.6.23-chw-4 linux ; cd /lib/modules/2.6.23-chw-4 ; rm build ; ln -s /usr/src/linux-source-2.6.23-chw-4 build ; cd /usr/src/linux-source-2.6.23-chw-4


Finally do your make steps:

Code:
# make clean
# make -j4


This step took 47 min on a 2.20 GHz Athlon 3200+ w/ 1 gig of DDR2-400, YMMV depending on system configuration. FYI, the -j4 option tells it to use 4 threads. From what I've read, 4 is good for a single core CPU. You can use -j6 or -j8 for a dual core and -f10 or -j12 for a quad core.

Now make your modules, install, and reboot into the new kernel:

Code:
# make modules_install
# make install
 (answered yes to re-running lilo)
# reboot


That should be it! You should boot normally except that you'll have the required netfilter kernel support to use moblock.

:arrow: Part 2. Install Moblock

Add the following to your /etc/apt/sources.list

Code:
# moblock repos

deb http://moblock-deb.sourceforge.net/debian sid main
deb-src http://moblock-deb.sourceforge.net/debian sid main


Also, verify that you're pointing to the unstable debs (i.e. change the two lines under #Debian repos should contain the word "unstable")

Example:
Code:
# moblock repos
deb http://moblock-deb.sourceforge.net/debian sid main
deb-src http://moblock-deb.sourceforge.net/debian sid main

#Debian repos
deb http://ftp.debian.org unstable main contrib non-free
deb-src http://ftp.debian.org unstable main contrib non-free


Save and exit. Now add the pgp key for moblock's debs to your ring so the authenticity can be verified:

Code:
# gpg --keyserver wwwkeys.eu.pgp.net --recv 9072870B
# gpg --export --armor 9072870B | apt-key add -


Now update apt and install moblock:

Code:
# apt-get update
# apt-get install moblock moblock-control


That'll do it. Once the apt-get finishes, dpkg will run the config for moblock. You can just accept the default options. Switch on or off the blocklists of your choice, see the webpage here for more info on what all these different lists contain. You likely don't need them all.

It might take 60-120 seconds for the blocklists to update. Just be patient. When finished, moblock automatically starts.

You can control moblock via moblock-control:

Test that moblock is functional:
Code:
# moblock-control test
Testing MoBlock:

CAUTION: This is just a simple test to check if MoBlock blocks outgoing
connections. For this, an IP from the blocklist will be pinged. Then the test
checks if this IP appears in the logfile /var/log/moblock.log.

MoBlock marks packets to be blocked. This means you have to make sure that the
marked packets are also blocked later (with appropriate iptables rules). If you
are using the default configuration and MoBlock is started after other firewalls
this will be the case.

This test does not check if you have sane iptables rules or if your complete
blocklist is in the correct format. Therefore success doesn't imply that
everything is working as you expect it.

Also have a look at "moblock-control status" and test manually with traceroute.

Trying to ping 4.1.144.255 from /etc/moblock/guarding.p2p ...
MoBlock marked the IP to be blocked and the IP did not answer. Test succeeded.


Stop/restart/start it via the same command (where <command> is one of the preceding):
Code:
# moblock-control <command>


You can add/remove additional blocklists by editing your /etc/moblock/blocklists.list file.

You can really do everything you need with the console app (moblock-control), so don't feel like you have to install the GUI. If however, you'd prefer a GUI to moblock, install mobloquer like this:

Code:
# apt-get install mobloquer


Once apt-get finishes, you can launch it simply by typing:

Code:
# mobloquer

Image

Note: for the logging feature to work, you need to have mobloquer running 24/7 (or at least over the time period you're interested in seeing). If you have the fluxbox toolbar set to visible, I'd recommend that you have mobloquer launch with fluxbox in tray mode. That way it's hidden from view, but you will benefit from the logging features.

To do this, simply edit your ~/.fluxbox/apps adding the following line:

Code:
[startup] {/usr/bin/mobloquer --tray}


This causes mobloquer to startup silently in the tray when fluxbox starts. You can exit mythtvfrontend, and can look at mobloquer via the tray icon and it's always running.

Image

:arrow: Appendix - Manually Configuring the Kernel

Do this from the /usr/src/linux-source-2.6.23-chw-4/

Code:
# make menuconfig


After a few seconds, you should be presented with a menu-like view of the kernel options. Navigate with the arrow keys and the ENTER key. You're task is to the select the various options listed below and modify them as follows to took like mine:

Hit the 'Y' key to include and you'll see the character that was present switch to an asterisk (i.e. <*>) when you do so.
Hit the 'N' key to exclude and you'll see it turn to nothing (i.e. < >) when you do it.
Hit the 'M' key to make the option a kernel module. You'll see it change to a capital 'M' when you do so (i.e. <M>).

Start by navigating to the following:

Networking --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->


From this section, make your display look like the following. Note that some options won't be displayed until you select them. In other words, go down the list making your window match the text below. You'll note that some additional options are revealed as you make your way down the list:

Code:
x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
x x       <*> Netfilter netlink interface                                              x x
x x       <*>   Netfilter NFQUEUE over NFNETLINK interface                             x x
x x       <M>   Netfilter LOG over NFNETLINK interface                                 x x
x x       <*> Netfilter connection tracking support                                    x x
x x       --- Connection tracking flow accounting                                      x x
x x       --- Connection mark tracking support                                         x x
x x       [ ] Connection tracking security mark support (NEW)                          x x
x x       [ ] Connection tracking events (EXPERIMENTAL) (NEW)                          x x
x x       < > SCTP protocol connection tracking support (EXPERIMENTAL) (NEW)           x x
x x       < > UDP-Lite protocol connection tracking support (EXPERIMENTAL) (NEW)       x x
x x       < > Amanda backup protocol support (NEW)                                     x x
x x       < > FTP protocol support (NEW)                                               x x
x x       < > H.323 protocol support (EXPERIMENTAL) (NEW)                              x x
x x       < > IRC protocol support (NEW)                                               x x
x x       < > NetBIOS name service protocol support (EXPERIMENTAL) (NEW)               x x
x x       < > PPtP protocol support (NEW)                                              x x
x x       < > SANE protocol support (EXPERIMENTAL) (NEW)                               x x
x x       < > SIP protocol support (EXPERIMENTAL) (NEW)                                x x
x x       < > TFTP protocol support (NEW)                                              x x
x x       <*> Connection tracking netlink interface (EXPERIMENTAL)                     x x
x x       <*> Netfilter Xtables support (required for ip_tables)                       x x
x x       <M>   "CLASSIFY" target support                                              x x
x x       <M>   "CONNMARK" target support                                              x x
x x       <M>   "DSCP" target support                                                  x x
x x       <M>   "MARK" target support                                                  x x
x x       <M>   "NFQUEUE" target Support                                               x x
x x       <M>   "NFLOG" target support                                                 x x
x x       <M>   "NOTRACK" target support                                               x x
x x       <M>   "TRACE" target support                                                 x x
x x       <M>   "SECMARK" target support                                               x x
x x       <M>   "TCPMSS" target support                                                x x
x x       <M>   "comment" match support                                                x x
x x       <M>   "connbytes" per-connection counter match support                       x x
x x       <M>   "connlimit" match support"                                             x x
x x       <M>   "connmark" connection mark match support                               x x
x x       <M>   "conntrack" connection tracking match support                          x x
x x       <M>   "DCCP" protocol match support                                          x x
x x       <M>   "DSCP" match support                                                   x x
x x       <M>   "ESP" match support                                                    x x
x x       <M>   "helper" match support                                                 x x
x x       <M>   "length" match support                                                 x x
x x       <M>   "limit" match support                                                  x x
x x       <M>   "mac" address match support                                            x x
x x       <M>   "mark" match support                                                   x x
x x       <M>   IPsec "policy" match support                                           x x
x x       <M>   Multiple port match support                                            x x
x x       <M>   "physdev" match support                                                x x
x x       <M>   "pkttype" packet type match support                                    x x
x x       <M>   "quota" match support                                                  x x
x x       <M>   "realm" match support                                                  x x
x x       <M>   "sctp" protocol match support (EXPERIMENTAL)                           x x
x x       <M>   "state" match support                                                  x x
x x       <M>   "statistic" match support                                              x x
x x       <M>   "string" match support                                                 x x
x x       <M>   "tcpmss" match support                                                 x x
x x       < >   "u32" match support                                                    x x
x x       < >   "hashlimit" match support                                              x x
x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x


That's it for this section. Go back by hitting the ESC key twice, then go into the following section and setup your display to match the text below:

IP: Netfilter Configuration --->

From this section, make your display look like the following:
Code:
x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
x x       <*> IPv4 connection tracking support (required for NAT)                      x x
x x       [*]   proc/sysctl compatibility with old connection tracking (NEW)           x x
x x       < > IP Userspace queueing via NETLINK (OBSOLETE)                             x x
x x       <*> IP tables support (required for filtering/masq/NAT)                      x x
x x       <M>   IP range match support                                                 x x
x x       <M>   TOS match support                                                      x x
x x       <M>   recent match support                                                   x x
x x       <M>   ECN match support                                                      x x
x x       <M>   AH match support                                                       x x
x x       <M>   TTL match support                                                      x x
x x       <M>   Owner match support                                                    x x
x x       <M>   address type match support                                             x x
x x       <M>   Packet filtering                                                       x x
x x       <M>     REJECT target support                                                x x
x x       <M>   LOG target support                                                     x x
x x       <M>   ULOG target support                                                    x x
x x       <M>   Full NAT                                                               x x
x x       <M>     MASQUERADE target support                                            x x
x x       <M>     REDIRECT target support                                              x x
x x       <M>     NETMAP target support                                                x x
x x       <M>     SAME target support (OBSOLETE)                                       x x
x x       <M>     Basic SNMP-ALG support (EXPERIMENTAL)                                x x
x x       <M>   Packet mangling                                                        x x
x x       <M>     TOS target support                                                   x x
x x       <M>     ECN target support                                                   x x
x x       <M>     TTL target support                                                   x x
x x       < >     CLUSTERIP target support (EXPERIMENTAL) (NEW)                        x x
x x       <M>   raw table support (required for NOTRACK/TRACE)                         x x
x x       <M> ARP tables support                                                       x x
x x       <M>   ARP packet filtering                                                   x x
x x       <M>   ARP payload mangling                                                   x x
x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x


That's it for the configuration. Don't mess with any of the other options unless you know what you're doing!

To exit and save the configuration, keep hitting the ESC key until you're asked if you want to save the configuration. Say 'Yes' to that question!

Okay! You just configured your kernel. Now go back up to Part 1 and complete the rest of the process.

:arrow: References
The following sites are sources for block lists
http://blocklist1.snowmanuk.net/
http://forums.phoenixlabs.org/showthread.php?t=17454

The following links helped me to figure out how to recompile the kernel and to get moblock up and running
http://moblock-deb.sourceforge.net/
http://forums.phoenixlabs.org/forumdisplay.php?f=15
http://gentoo-wiki.com/Moblock
http://www.cyberciti.biz/tips/compiling ... el-26.html
http://knoppmyth.net/phpBB2/viewtopic.php?t=18993
http://knoppmyth.net/phpBB2/viewtopic.php?t=18949
http://knoppmyth.net/phpBB2/viewtopic.php?t=13281
http://knoppmyth.net/phpBB2/viewtopic.php?t=18607

_________________
Retired KM user (R4 - R6.04); friend to LH users.


Last edited by graysky on Wed Oct 15, 2008 1:58 pm, edited 9 times in total.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Oct 05, 2008 5:53 pm 
Offline
Joined: Sun Sep 04, 2005 7:48 pm
Posts: 264
Location: Perth, Australia
graysky,

fantastic writeup, so much so i'm off to see what this moblock stuff is about :)

Nathan

_________________
LinHES: R6 | MB: Asus M3N-H/HDMI | CPU: AMD ??Mhz
Capture: 2xHDHR DVB-T
Graphics: Onboard 8300|PSU: Corsair vx450w
Cooling: Zalman cu?,
Display: Benq xx projector


Top
 Profile  
 
 Post subject:
PostPosted: Mon Oct 06, 2008 2:13 am 
Offline
Joined: Wed Dec 10, 2003 8:31 pm
Posts: 1996
Location: /dev/null
nmcaullay wrote:
graysky,

fantastic writeup, so much so i'm off to see what this moblock stuff is about :)


Cool man, please lemme know how smoothly it went for you.

_________________
Retired KM user (R4 - R6.04); friend to LH users.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 28, 2008 9:04 am 
Offline
Joined: Fri Dec 01, 2006 9:14 pm
Posts: 28
Location: Hiding behind a shrubbery
This write up a fantastic way to build in a very nice tool. Unfortunately for me I am running into the module dependency issue when adding support for:

x x <*> Connection tracking netlink interface (EXPERIMENTAL)

I cannot seem to be able to build the kernel without something failing. I'll post the logs as soon as this build finishes but is there any ideas off the bat?


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 28, 2008 10:20 am 
Offline
Joined: Wed Dec 10, 2003 8:31 pm
Posts: 1996
Location: /dev/null
Hmm... did you download my .config text file and build it fresh from that? If you did please post the output. I must admit that since writing up this guide, I switched that box from running R5.5 to running Debian/Lenny but I'll try my best to help you out.

_________________
Retired KM user (R4 - R6.04); friend to LH users.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 28, 2008 11:09 am 
Offline
Joined: Fri Dec 01, 2006 9:14 pm
Posts: 28
Location: Hiding behind a shrubbery
Code:
  LD      .tmp_vmlinux1
kernel/built-in.o: In function `getnstimeofday':
(.text+0x24c43): undefined reference to `__umoddi3'
kernel/built-in.o: In function `getnstimeofday':
(.text+0x24c63): undefined reference to `__udivdi3'
kernel/built-in.o: In function `do_gettimeofday':
(.text+0x24d90): undefined reference to `__udivdi3'
kernel/built-in.o: In function `do_gettimeofday':
(.text+0x24dab): undefined reference to `__umoddi3'
kernel/built-in.o: In function `timekeeping_resume':
timekeeping.c:(.text+0x24fae): undefined reference to `__umoddi3'
timekeeping.c:(.text+0x24fce): undefined reference to `__udivdi3'
kernel/built-in.o: In function `update_wall_time':
(.text+0x253c0): undefined reference to `__umoddi3'
kernel/built-in.o: In function `update_wall_time':
(.text+0x253e0): undefined reference to `__udivdi3'
kernel/built-in.o: In function `update_wall_time':
(.text+0x2583b): undefined reference to `__umoddi3'
kernel/built-in.o: In function `update_wall_time':
(.text+0x2585b): undefined reference to `__udivdi3'
make: *** [.tmp_vmlinux1] Error 1


End result of the build, error 1 and with your .conf I did attempt to build the support. The option for the module listed above was not available.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 28, 2008 11:34 am 
Offline
Joined: Fri Dec 01, 2006 9:14 pm
Posts: 28
Location: Hiding behind a shrubbery
After some tweaking I may have it fixed, rebuilding now and will update.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 28, 2008 12:39 pm 
Offline
Joined: Wed Dec 10, 2003 8:31 pm
Posts: 1996
Location: /dev/null
Efvin wrote:
End result of the build, error 1 and with your .conf I did attempt to build the support. The option for the module listed above was not available.


WIth my text file, simply copy it to the directory and rename it .config

Then just load up the config screen, make no changes, and exit. Then compile as per instructions.

_________________
Retired KM user (R4 - R6.04); friend to LH users.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 28, 2008 4:29 pm 
Offline
Joined: Fri Dec 01, 2006 9:14 pm
Posts: 28
Location: Hiding behind a shrubbery
Followed it to a "T," nada. I'm not too worried about it. I'm sure I can set another box in front of this one that can handle the tables.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 28, 2008 5:30 pm 
Offline
Joined: Wed Dec 10, 2003 8:31 pm
Posts: 1996
Location: /dev/null
Sorry man, wish I could help you out.

_________________
Retired KM user (R4 - R6.04); friend to LH users.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 02, 2009 8:46 pm 
Offline
Joined: Fri Dec 01, 2006 9:14 pm
Posts: 28
Location: Hiding behind a shrubbery
After some fun and a re-install due to a fun mess I got myself into it works ....


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 03, 2009 3:53 am 
Offline
Joined: Wed Dec 10, 2003 8:31 pm
Posts: 1996
Location: /dev/null
Cool, glad to hear it. What did you have to do that wasn't written in my guide?

_________________
Retired KM user (R4 - R6.04); friend to LH users.


Top
 Profile  
 
 Post subject: Instructions for R6
PostPosted: Thu Jun 04, 2009 7:51 am 
Offline
Joined: Wed Jul 25, 2007 7:56 pm
Posts: 103
Location: Arlington, VA, USA
BTW, I posted some instructions for R6 here. The kernel no longer has to be recompiled, but there are some other obstacles...


Top
 Profile  
 

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 


All times are UTC - 6 hours




Who is online

Users browsing this forum: No registered users and 19 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group

Theme Created By ceyhansuyu