Welcome !

logfile screenshot

moblock-deb provides packages related to IP blocking software, similar to PeerGuardian: In order to protect your privacy internet traffic is blocked based on large lists of IP address ranges. The packages are PeerGuardian Linux (pgl), and its precessors moblock, blockcontrol and mobloquer. This site offers Debian packages for the current Debian and Ubuntu distributions. pgl is available starting with Debian 6.0 squeeze and Ubuntu 10.04 lucid.

pgld and MoBlock are IP block daemons, which do the actual blocking. pglcmd and blockcontrol are utilities, designed to do all tasks related to the daemons. pgl-gui and mobloquer are GUI.

WARNING: IP blockers may block your complete network/internet access! Using too many and/or inappropriate lists may seriously degrade your internet service.

The software starts automatically at system boot per default. Some preconfigured blocklists are updated once a day. Be warned: this will not only block many unwanted IPs, but in most cases this will result in a limited network availability. This includes your own LAN and router, many webpages, services like eMail, instant messaging or the "weather applet" and your machine's accessibility from the internet.

There are many configuration options to prevent this. E.g. the default is to always allow (whitelist) LAN traffic, DNS server and loopback device. If you are on a public LAN, you probably want to disable this feature.

WARNING: Users with firewall (iptables rules)

The IPblockers don't conflict with other firewalls (iptables rules). But if you use them, you have to take special care to avoid severe conflicts. Make sure the following three conditions hold:

  1. The IPblocker marks non-matched (IP is not in the blocklist) packets. (The marking feature is on per default.)
  2. Other firewalls do not mark packets.
  3. The IPblocker is started after other firewalls. If other firewalls are started/reloaded after the IPblocker, then you need to restart it again. You will be fine, if the iptables rules which send traffic to the iptables chains (pgl_in, pgl_fwd and pgl_out) stand before all other iptables rules which ACCEPT traffic. To help you achieve this, a watchdog restarts the IPblocker if it detects any problems. But a manual restart is still recommended, whenever another application changed the iptables setup.

Technical note:

The IP block daemons check traffic (packets) that is sent to the iptables NFQUEUE (or the deprecated QUEUE) target. If the necessary support is not built in the kernel directly, the necessary kernel modules will be loaded automatically.

The IPblockers can also MARK packets, so that iptables rules that match this mark decide what happens with these packets. Per default marking is on: allowed packets (IP is not in the blocklist) get the mark "20" (shown as 0x14 by iptables) and blocked packets (IP is in the blocklist) get the mark "10" (0xa).

Marked packets repeat the hook function (NF_REPEAT). So they are sent back to the head of the iptables chain again. A packet may only bear one mark, so there mustn't be any other applications / iptables rules that mark packets. Otherwise the setup will not work and packets will loop forever.

"Marked block" outgoing packets will be REJECTED, "Marked block" incoming and forwarded packets will be DROPped. "Marked accept" packets will be ignored, so other iptables rules decide what happens to them.

Features

logfile screenshot

pglcmd and blockcontrol have the following features:

  • Start and stop IP block daemon. Or let init do this automatically.
  • Update your blocklist from online sources and local blocklists. Or let cron do this automatically on a regular basis.
  • Remove lines by keyword from the blocklists.
  • Handle your iptables rules: use a default setup, easily allow all traffic on specific ports and use an allow list, or add your own sophisticated iptables rules.
  • Allow all LAN traffic and the DNS server automatically. If you are on a public LAN, you probably want to disable this feature.
  • Check the status and test the IP block daemon.
  • A watchdog monitors the IP block daemon and restarts if necessary.
  • Detects if kernel modules are needed and loads them if necessary.
  • Set verbosity and logging options.
  • Provides LSB 3.1 compatible init script.
  • Daily rotation of the logfiles.

Configuration and Usage

Usage (you need root privileges. Replace pglcmd with blockcontrol if you use the latter):

  • pglcmd start - inserts iptables rules and starts the IP block daemon. If the blocklist configuration changed, rebuild the master blocklist.
  • pglcmd stop - deletes iptables rules and stops the IP block daemon.
  • pglcmd restart - restarts the IP block daemon.
  • pglcmd reload - rebuilds the master blocklist and reloads the IP block daemon if it is running.
  • pglcmd update - updates the blocklists, rebuilds the master blocklist and reloads the IP block daemon.
  • pglcmd status - gives the iptables settings and the status of the IP block daemon.
  • pglcmd test - does a simple test to check if the IP block daemon is working (pings a random IP in the blocklist and checks if this IP was logged in the block daemons logfile and if it answered).
  • pglcmd search PATTERN - outputs the occurences of a keyword and the names of the single blocklists.
  • pglcmd stats - reports daemon's statistics
  • pglcmd reset_stats - resets daemon's statistics
  • show_config - shows the current configuration settings.

Note for blocklist operations: When the master blocklist is built, missing single blocklists are downloaded. If any blocklist fails to download, and if there is no old version available, the operation aborts. If a downloaded blocklist fails to extract, it is deleted and the operation aborts.

Configuration:

Blocklists are configured in blocklists.list (/etc/pgl/blocklists.list).

The allow list for IP ranges is allow.p2p (/etc/pgl/allow.p2p). Per default, the allowlist is used for incoming and outgoing connections. If desired different allow lists for incoming, outgoing and forward connections may be used.

The rest is done in pgl.conf (/etc/pgl/pglcmd.conf). Refer to pglcmd.defaults (/usr/lib/pgl/pglcmd.defaults) for the complete set of possible configuration variables with comments.


[i386 and amd64] Grab the packages


[Debian and Ubuntu 8.04 hardy] Tell your system about the packages (step 1):


Add these entries to /etc/apt/sources.list:

Debian 5.0 lenny:

deb http://moblock-deb.sourceforge.net/debian lenny main
deb-src http://moblock-deb.sourceforge.net/debian lenny main

Debian 6.0 squeeze:

deb http://moblock-deb.sourceforge.net/debian squeeze main
deb-src http://moblock-deb.sourceforge.net/debian squeeze main

Debian 7.0 wheezy:

deb http://moblock-deb.sourceforge.net/debian wheezy main
deb-src http://moblock-deb.sourceforge.net/debian wheezy main

Debian sid (unstable):

deb http://moblock-deb.sourceforge.net/debian sid main
deb-src http://moblock-deb.sourceforge.net/debian sid main

Ubuntu 8.04 hardy:

deb http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu hardy main
deb-src http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu hardy main
deb http://archive.ubuntu.com/ubuntu hardy main universe

Add my gpg key to the apt keyring

Debian

I sign the packages here at moblock-deb with my gpg key. To verify the integrity of the packages you have to add my gpg key to the apt keyring. (Otherwise your package manager will warn you about UNTRUSTED sources. By adding the gpg key, you tell your package manager that you trust me.) My old gpg keys 9072870B and 58712F29 expired, use the new one C0145138 instead:

gpg --keyserver keyserver.ubuntu.com --recv-keys C0145138
gpg --export --armor C0145138 | sudo apt-key add -

Ubuntu

I sign the source packages that I upload to ppa.launchpad.net. There the packages are built and then signed with another GPG key (both happens outside of my control). So if you trust me and launchpad you have to use this:

gpg --keyserver keyserver.ubuntu.com --recv 9C0042C8
gpg --export --armor 9C0042C8 | sudo apt-key add -

[Ubuntu] Tell your system about the packages (step 1):


Ubuntu 10.04 lucid, Ubuntu 10.10 maverick, Ubuntu 11.04 Natty and Ubuntu 11.10 Oneiric :

sudo add-apt-repository ppa:jre-phoenix/ppa

If your package manager complains about missing dependencies (libnetfilter-queue and libnfnetlink), you need to add the "universe" section entry to /etc/apt/sources.list (replace YOURDIST with lucid, maverick, natty or oneiric):

deb http://archive.ubuntu.com/ubuntu YOURDIST main universe

[Debian and Ubuntu] Tell your system about the packages (step 2):

Run this command (on command line) to update the list of available packages:

sudo apt-get update

[Debian and Ubuntu] Install it:

Either from within your package manager or from the command line:

sudo apt-get install moblock blockcontrol mobloquer

If you don't need a GUI you should install pgl instead:

sudo apt-get install pgld pglcmd

[All architectures] Build your own packages


To manually build packages of the current versions you need the "deb-src ..." entry in your apt sources.list and you need to update the package list. See above.

Build the current version

moblock, blockcontrol and mobloquer

sudo apt-get update
sudo apt-get install fakeroot
mkdir ~/moblock-deb-packages
cd ~/moblock-deb-packages
sudo apt-get build-dep -y moblock blockcontrol mobloquer
apt-get source moblock blockcontrol mobloquer
cd ~/moblock-deb-packages/{package}-{MAJOR_VERSION}
dpkg-buildpackage -uc -us -tc -rfakeroot

pgl

sudo apt-get update
sudo apt-get install fakeroot
mkdir ~/moblock-deb-packages
cd ~/moblock-deb-packages
sudo apt-get build-dep -y pgl
apt-get source pgl
cd ~/moblock-deb-packages/{package}-{MAJOR_VERSION}
dpkg-buildpackage -uc -us -tc -rfakeroot

... and you will have your own deb in the directory ~/moblock-deb-packages. Install it with

sudo dpkg -i ~/moblock-deb-packages/{package}_{MAJOR_VERSION}-{MINOR_VERSION}_{ARCHITECTURE}.deb

Examples:

Replace i386 with your architecture, e.g. amd64, armel, mips, powerpc, ...

moblock, blockcontrol and mobloquer

sudo apt-get update
sudo apt-get install fakeroot
mkdir ~/moblock-deb-packages
cd ~/moblock-deb-packages
sudo apt-get build-dep -y moblock blockcontrol mobloquer
apt-get source moblock blockcontrol mobloquer

cd ~/moblock-deb-packages/moblock-0.9~rc2
dpkg-buildpackage -uc -us -tc -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/moblock_0.9~rc2-25_i386.deb

cd ~/moblock-deb-packages/blockcontrol-1.6.13
dpkg-buildpackage -uc -us -tc -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/blockcontrol_1.6.13-1_all.deb

cd ~/moblock-deb-packages/mobloquer-0.6+svn20090817+4
dpkg-buildpackage -uc -us -tc -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/mobloquer_0.6+svn20090817+4-1_i386.deb

pgl

sudo apt-get update
sudo apt-get install fakeroot
mkdir ~/moblock-deb-packages
cd ~/moblock-deb-packages
sudo apt-get build-dep -y pgl
apt-get source pgl

cd ~/moblock-deb-packages/pgl-2.1.3+b1
dpkg-buildpackage -uc -us -tc -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/pgld_2.1.3+b1-1_i386.deb
sudo dpkg -i ~/moblock-deb-packages/pglcmd_2.1.3+b1-1_all.deb

Feedback and Development


The preferred place for discussions and support is at the Linux forum of phoenixlabs.org.
Please visit and use the peerguardian project page here at sourceforge to submit bugs and patches or request features.
You can have a look at the current pgl development code in the git repository. The fastest way to get something changed in the packages is to post a patch.
For general feedback or if you want some privacy you can drop me an email.

Latest news

Sep 17 2011
New binaries for Ubuntu Oneiric (previously broken) and Precise (12.04).

We're still alive, but we lost our old homepage phoenixlabs.org. Don't worry, development and support are now both located at the PeerGuardian project website.

Sep 17 2011
PeerGuardian Linux 2.1.3
Several fixes, mainly for cross distro support.

Sep 04 2011
Added Ubuntu Oneiric (11.10) support

Aug 23 2011
PeerGuardian Linux 2.1.2
Fixes the cannot-whitelist-temporarily-while-using-kdesudo bug. And other stuff.

Aug 12 2011
PeerGuardian Linux 2.1.0 - The GUI release!
Today we proudly present to you: pgl 2.1.0, including the long-anticipated pgl-gui. Try it, test it, report back. If you don't tell us otherwise the days of moblock, blockcontrol and mobloquer will soon be over.

My old GPG key 58712F29 expires on 2011-08-16, my new one is C0145138.

Added Debian 7.0 wheezy and Ubuntu 11.10 (Oneiric) support, removed Ubuntu 9.10 (Karmic)

Jan 23 2011
pgl 2.0.4 released
Added Ubuntu Natty (11.04) support

Oct 15 2010
Added Ubuntu Maverick (10.10) support
Dropped Ubuntu Jaunty support.
Everybody feel free to join this project if you think you can do anything useful.

Sep 10 2010
pgl 2.0.3 released

Aug 14 2010
pgl 2.0.2 released

Jun 20 2010
New blockcontrol and mobloquer release
Backported the recent changes from pgl: mobloquer now shows human readable names for iblocklist.com blocklists again.
Completely removed intrepid from the PPA and hardy from moblock-deb (hardy is still in the PPA).

Jun 16 2010
PeerGuardian Linux 2.0.1 released!
Including a far better integration with iblocklist.com
BTW, new developers and homepage designers may just contact me.

May 18 2010
PeerGuardian Linux 2.0.0 released!
PeerGuardian Linux is based on nfblock/moblock and blockcontrol. Users of these applications will find many improvements and bug fixes. Unfortunately we have no GUI ready, yet.
NFBlock was removed from the repository.

May 7 2010
Packages for Ubuntu Lucid available
All packages are available for Ubuntu Lucid now. But support for Ubuntu Intrepid has been dropped, as this release has reached it's official end of life.

Nov 12 2009
New project PeerGuardian Linux
There's a new project: PeerGuardian Linux (pgl), located at the project of the original PeerGuardian. The new project combines and succeeds all projects that had packages here. There's the daemon pgld (based on NFBlock, which was based on MoBlock), pglcmd (based on blockcontrol, previously moblock-control) and pgl-gui (by the author of mobloquer).
All authors of the old applications and new authors work on this new project. So the old projects are dead now. Contributors and testers are welcome! This is an open project. Check the source in the git repository: git://peerguardian.git.sourceforge.net/gitroot/peerguardian/peerguardian
(At least for the beginning) I'll continue to offer Debian packages here.

Resources

Related projects

Other important stuff

  • Tor: An anonymous Internet communication system
  • Jabber: Open source instant messaging
  • GnuPG: secure communication and data storage
  • Everything you want to know about iptables
  • Privoxy: Privacy enhancing HTTP Proxy
Get MoBlock and NFBlock Debian packages at SourceForge.net. Fast, secure and Free Open Source software downloads.