Welcome !

logfile screenshot

moblock-deb provides packages related to IP blocking software, similar to PeerGuardian: In order to protect your privacy internet traffic is blocked based on large lists of IP address ranges. The packages are MoBlock, NFBlock, blockcontrol and mobloquer. This site offers Debian packages for the current Debian and Ubuntu distributions.

MoBlock and NFBlock are IP block daemons, which do the actual blocking. blockcontrol is a CLI, designed to do all tasks related to IP block daemons (MoBlock or NFBlock). blockcontrol is developed here. It's available as Debian package and as a separate download for all Linux distributions. mobloquer is a GUI on top of blockcontrol.

WARNING: IP blockers may block your complete network/internet access!

Blockcontrol starts automatically at system boot per default. Some preconfigured blocklists are updated once a day. Be warned: this will not only block many unwanted IPs, but in most cases this will result in a limited network availability. This includes your own LAN and router, many webpages, services like eMail, instant messaging or the "weather applet" and your machine's accessibility from the internet.

There are many configuration options to prevent this. E.g. the default is to always allow (whitelist) LAN traffic, DNS server and loopback device. If you are on a public LAN, you probably want to disable this feature.

WARNING: Users with firewall (iptables rules)

MoBlock (since version 0.9) and NFBlock do not conflict with other firewalls (iptables rules). But if you use them, you have to take special care to avoid severe conflicts. Make sure the following three conditions hold:

  1. The IP block daemon marks non-matched (IP is not in the blocklist) packets. (The marking feature is on per default.)
  2. Other firewalls do not mark packets.
  3. blockcontrol is started after other firewalls. If other firewalls are started/reloaded after blockcontrol, then you need to restart blockcontrol again. You will be fine, if the iptables rules which send traffic to the iptables chains (blockcontrol_in, blockcontrol_out and blockcontrol_fw) stand before all other iptables rules which ACCEPT traffic. To help you achieve this, blockcontrol.watchdog restarts blockcontrol if it detects any problems. But it's still recommended, to restart blockcontrol manually, whenever another application changed the iptables setup.

Technical note:

The IP block daemons check traffic (packets) that is sent to the iptables NFQUEUE (or the deprecated QUEUE) target. If the necessary support is not built in the kernel directly, blockcontrol will load the necessary kernel modules. Up to MoBlock 0.8 packets that do not match the blocklist are ACCEPTed and packets that match the blocklist are DROPped.

MoBlock (since 0.9) and NFBlock can also MARK packets, so that iptables rules that match this mark decide what happens with these packets. Per default marking is on: allowed packets (IP is not in the blocklist) get the mark "20" (shown as 0x14 by iptables) and blocked packets (IP is in the blocklist) get the mark "10" (0xa).

Marked packets repeat the hook function (NF_REPEAT). So they are sent back to the head of the iptables chain again. A packet may only bear one mark, so there mustn't be any other applications / iptables rules that mark packets. Otherwise the setup will not work and packets will loop forever.

"Marked block" outgoing packets will be REJECTED, "Marked block" incoming and forwarded packets will be DROPped. "Marked accept" packets will be ignored, so other iptables rules decide what happens to them.

Features

logfile screenshot

blockcontrol has the following features:

  • Start and stop IP block daemon. Or let init do this automatically.
  • Update your blocklist from online sources and local blocklists. Or let cron do this automatically on a regular basis.
  • Remove lines by keyword from the blocklists.
  • Handle your iptables rules: use a default setup, easily allow all traffic on specific ports and use an allow list, or add your own sophisticated iptables rules.
  • Allow all LAN traffic and the DNS server automatically. If you are on a public LAN, you probably want to disable this feature.
  • Check the status and test the IP block daemon.
  • A watchdog monitors the IP block daemon and restarts blockcontrol if necessary.
  • Detects if kernel modules are needed and loads them if necessary.
  • Set verbosity and logging options.
  • Provides LSB 3.1 compatible init script.
  • Daily rotation of the logfiles.

Configuration and Usage

Usage (you need root privileges):

  • blockcontrol start - inserts iptables rules and starts the IP block daemon. If the blocklist configuration changed, rebuild the master blocklist.
  • blockcontrol stop - deletes iptables rules and stops the IP block daemon.
  • blockcontrol restart - restarts the IP block daemon.
  • blockcontrol reload - rebuilds the master blocklist and reloads the IP block daemon if it is running.
  • blockcontrol update - updates the blocklists, rebuilds the master blocklist and reloads the IP block daemon.
  • blockcontrol status - gives the iptables settings and the status of the IP block daemon.
  • blockcontrol test - does a simple test to check if the IP block daemon is working (pings a random IP in the blocklist and checks if this IP was logged in the block daemons logfile and if it answered).
  • search PATTERN - outputs the occurences of a keyword and the names of the single blocklists.
  • stats - reports MoBlock's statistics
  • reset_stats - resets MoBlock's statistics
  • show_config - shows the current configuration settings.

Note for blocklist operations: When the master blocklist is built, missing single blocklists are downloaded. If any blocklist fails to download, and if there is no old version available, the operation aborts. If a downloaded blocklist fails to extract, it is deleted and the operation aborts.

Configuration:

Blocklists are configured in blocklists.list (/etc/blockcontrol/blocklists.list).

The allow list for IP ranges is allow.p2p (/etc/blockcontrol/allow.p2p). Per default, the allowlist is used for incoming and outgoing connections. If desired different allow lists for incoming, outgoing and forward connections may be used.

The rest is done in blockcontrol.conf (/etc/blockcontrol/blockcontrol.conf). Refer to blockcontrol.defaults (/usr/lib/blockcontrol/blockcontrol.defaults) for the complete set of possible configuration variables with comments.


Grab the packages!


Add to /etc/apt/sources.list


Debian lenny (stable):

deb http://moblock-deb.sourceforge.net/debian lenny main
deb-src http://moblock-deb.sourceforge.net/debian lenny main

Debian squeeze (testing):

deb http://moblock-deb.sourceforge.net/debian sid main
deb-src http://moblock-deb.sourceforge.net/debian sid main

Debian sid (unstable):

deb http://moblock-deb.sourceforge.net/debian sid main
deb-src http://moblock-deb.sourceforge.net/debian sid main

Ubuntu 8.04 hardy:

deb http://moblock-deb.sourceforge.net/debian hardy main
deb-src http://moblock-deb.sourceforge.net/debian hardy main

Ubuntu 8.10 intrepid:

deb http://moblock-deb.sourceforge.net/debian intrepid main
deb-src http://moblock-deb.sourceforge.net/debian intrepid main

Ubuntu 9.04 jaunty:

deb http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu jaunty main

Ubuntu 9.10 karmic:

deb http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu karmic main
deb-src http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu karmic main

Note for Ubuntu users:

You also need the "universe" section, something like 
deb http://archive.ubuntu.com YOURDIST main universe

Add my gpg key

Debian and Ubuntu hardy/intrepid

I sign the packages here at moblock-deb with my gpg key. To verify the integrity of the packages you have to add my gpg key to the apt keyring. (Otherwise your package manager will warn you about UNTRUSTED sources. By adding the gpg key, you tell your package manager that you trust me.)

gpg --keyserver wwwkeys.eu.pgp.net --recv-keys 9072870B
gpg --export --armor 9072870B | sudo apt-key add -

Ubuntu jaunty and later versions

I sign the source packages that I upload to ppa.launchpad.net. There the packages are built and then signed with another GPG key (both happens outside of my control). So if you trust me and launchpad you have to use this instead:

gpg --keyserver keyserver.ubuntu.com --recv-keys 9C0042C8
gpg --export --armor 9C0042C8 | sudo apt-key add -

Update your package list

Run this command (on command line) to update the list of available packages:

sudo aptitude update

Install it (i386 and amd64)

Either from within your package manager or from the command line:

sudo aptitude install moblock blockcontrol mobloquer

Build your own packages (all architectures)


To manually build packages of the current versions you need a "deb-src ..." entry in your apt sources.list and you need to update the package list. See above.

Build the current version

sudo aptitude update
sudo aptitude install fakeroot
mkdir ~/moblock-deb-packages
cd ~/moblock-deb-packages
sudo apt-get build-dep -y moblock blockcontrol mobloquer
apt-get source moblock blockcontrol mobloquer
cd ~/moblock-deb-packages/{package}-{MAJOR_VERSION}
dpkg-buildpackage -uc -us -rfakeroot

... and you will have your own deb in the directory ~/moblock-deb-packages. Install it with

sudo dpkg -i ~/moblock-deb-packages/{package}_{MAJOR_VERSION}-{MINOR_VERSION}_{ARCHITECTURE}.deb

Example:

(The version numbers in this example may be outdated and you might have another architecture then i386.)

mkdir ~/moblock-deb-packages
cd ~/moblock-deb-packages
sudo apt-get build-dep moblock blockcontrol mobloquer
sudo aptitude install fakeroot
apt-get source moblock blockcontrol mobloquer

cd ~/moblock-deb-packages/moblock-0.9~rc2
dpkg-buildpackage -uc -us -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/moblock_0.9~rc2-22_i386.deb

cd ~/moblock-deb-packages/blockcontrol-1.3
dpkg-buildpackage -uc -us -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/blockcontrol_1.3-1_all.deb

cd ~/moblock-deb-packages/mobloquer-0.6
dpkg-buildpackage -uc -us -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/mobloquer_0.6-1_i386.deb

blockcontrol (all Linux distributions, all architectures)


Download blockcontrol from the project's page. Have a look at the README. You may need to adjust some paths and copy the files to their correct places manually.

Feedback and Development


The preferred place for discussions and support is at the Linux forum of phoenixlabs.org.
Please visit and use the project's page here at sourceforge to submit bugs and patches or request features.
You can browse the development repository at http://moblock-deb.svn.sourceforge.net/. Use subversion or (even easier) svk to work with it. The fastest way to get something changed in the packages is to post a patch.
For general feedback or if you want some privacy you can drop me an email.

Latest news

May 03 2009
blockcontrol 1.4.3 released.
Added a watchdog, that restarts blockcontrol if it detects problems. Added support for multiple custom iptables scripts.

Apr 21 2009
Ubuntu jaunty support via ppa.launchpad.net.
I decided to make a PPA at launchpad.net. This means I upload the source packages, and the binaries are then built for the architectures i386, amd64 and (new) lpia. This will be used for Ubuntu jaunty and later versions. The launchpad packages are signed with another gpg key!

Mar 23 2009
mobloquer in hardy again.
Since a few days mobloquer is available for hardy again. So the static mirror has been removed.
Support for gutsy has been cancelled completely.

Mar 23 2009
Backup of mobloquer.
With yesterday's release mobloquer went from the gutsy and hardy repositories. If you are on these dists (and don't want to update to intrepid), you can use a mirror of the old repository. Simply change your moblock-deb entries in /etc/apt/sources.list to contain 20090109 instead of debian.
Or just don't update these files for the next time.

Mar 22 2009
All packages updated.
moblock-control has been renamed to blockcontrol. Have a look at blockcontrol's NEWS.
NFBlock added to the repoitory.

Jan 09 2009
moblock-control updated to 1.2: Many changes regarding the blocklist management. Since 1.1 the default blocklists are from TBG.
Per default, the allow.p2p is no more used for the FORWARD chain.
Have a look at the current NEWS or at a detailed list of all changes in the changelog.
Dropped Ubuntu Feisty support: Ubuntu dropped its security support for Ubuntu Feisty (7.04) on Oct 19th, 2008. Therefore I also removed the Feisty packages. Update your systems to an actual version!

Sep 25 2008
All packages have been updated. Added support for Ubuntu Intrepid Ibex.
moblock-control is a separate package now.
So install "moblock" and "moblock-control" to have the functionality of the old "moblock" package.
The custom iptables scripts now are executed per default, too.
See the moblock-control NEWS and changelog.

Aug 19 2008
New MoBlock (0.9~rc2-17) packages, moblock-nfq removed
Since the 0.9 series has less bugs and nicer features then the "official" stable 0.8 I removed the "moblock-nfq" package. Updates to "moblock" will be made automatically. Since the case for "moblock-ipq" is a bit complicated this case is not handled automatically. Interested users with old kernel (<2.6.13) please ask for help for transition.
For the other changes see the MoBlock 0.9RC2 debian changelog
The subversion development repository is updated again!

Jul 14 2008
New MoBlock (0.9~rc2-13) packages
debconf support added, port 80 and 443 whitelisted per default again, LAN traffic automatically whitelisted (experimental), port logging, hopefully removed all bashisms - Have fun.
I have not made a separate file release of moblock-control, yet. Contact me if you want one now.
The preview packages have been removed, since they are obsolete now.
The development repository is still not updated.

Resources

Related projects

Other important stuff

  • Tor: An anonymous Internet communication system
  • Jabber: Open source instant messaging
  • GnuPG: secure communication and data storage
  • Everything you want to know about iptables
  • Privoxy: Privacy enhancing HTTP Proxy
Get MoBlock and NFBlock Debian packages at SourceForge.net. Fast, secure and Free Open Source software downloads.