Beruflich Dokumente
Kultur Dokumente
Make sure that the "universe" section is activated in your sources.list. You need something like this (replace YOURDIST with
e.g. your distribution codename like hardy or karmic)
Package Installation
If you want a graphical interface install the packages "moblock", "blockcontrol" and "mobloquer". If you don't need a GUI you
should use the new PeerGuardian Linux instead (it's by the same authors). Follow all instructions on this page, but install the
packages "pgld" and "pglcmd" instead.
Compile a package
If you want to make your own MoBlock binary package from source and install it, you can use the following instructions. Most
users will not need to compile a package, but this can be used for unsupported architectures or for an older release (you may also
have to compile netfilter lib packages).
First, make sure you have added a source repository for your release. Then, run the following in terminal.
mkdir ~/moblock-deb-packages
cd ~/moblock-deb-packages
cd ~/moblock-deb-packages/moblock-0.9~rc2
dpkg-buildpackage -uc -us -tc -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/moblock_0.9~rc2-*.deb
cd ~/moblock-deb-packages/blockcontrol-1.3
dpkg-buildpackage -uc -us -tc -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/blockcontrol_*_all.deb
cd ~/moblock-deb-packages/mobloquer-0.6
dpkg-buildpackage -uc -us -tc -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/mobloquer_*.deb
Some of these commands can be combined into one, but this lets you make changes like adding a patch if necessary and explains
the process better.
Explanation: in your home directory the directory moblock-deb-packages is created. Then the current working directory is
changed to it. The development dependencies of the packages moblock, blockcontrol and mobloquer are then installed. Then the
three source packages are downloaded. For the three packages one after the other the current working directory is changed to the
source directory, the source and binary packages are built and the package is installed. As a last step eventually missing
dependencies are installed.
Install a package
Use the instructions at the InstallingSoftware page under Installing downloaded packages
start and stop MoBlock (including handling of the iptables rules if desired)
update the specified blocklists from online sources
use local blocklists
modify the blocklist and whitelist IPs and ports
In the default configuration MoBlock starts at system boot and some preconfigured blocklists are updated once a day. You can
specify the blocklists to use in /etc/blockcontrol/blocklists.list. Everything else (automatic start and update, iptables handling, IP
and port whitelisting) is configured in /etc/blockcontrol/blockcontrol.conf. This is important especially if MoBlock blocks sites that
it should not block. A list of all available configuration options is in /usr/lib/blockcontrol/blockcontrol.defaults (Don't edit the latter
file, but put your changes in /etc/blockcontrol/blockcontrol.conf.)
Start MoBlock
Stop MoBlock
Restart MoBlock
Rebuild Blocklist
Update Blocklists
MoBlock Status
It receives the iptables settings and the status of the MoBlock daemon.
Test MoBlock
The test has been known to have problems in older versions of MoBlock. Look at the log to check if you are unsure. This can be
done interactively (this command will show you the log in real-time).
tail -f /var/log/moblock.log
Search for a pattern in your blocklists. This helps you to find out, which blocklist is responsible for a certain block.
Note: If you don't need a GUI you should use the new PeerGuardian Linux (it's by the same authors). The usage is nearly
identical, just type "pglcmd" instead of "blockcontrol". The configuration files are in /etc/pgl/.
You have to whitelist your LAN. If you don't know your local IP check it with "sudo ifconfig". It's the value after "inet addr:" of
the interface that you use for networking. For wired connections this might be "eth0", for wireless connections "wlan0".
Example: You found out that your IP is 192.168.0.39. Then your LAN will most probably cover the IP range 192.168.0.1-
192.168.0.255. Then you need to whitelist this range for incoming and outgoing connections.
WHITE_IP_IN="192.168.0.0/24"
WHITE_IP_OUT="192.168.0.0/24"
Do a
blockcontrol restart
For each possibility you can learn how to do it in another question here on the page. But now, which is the best solution for you?
Generally you should first decide on the correct set of blocklists. The default setting is quite paranoid, so you may choose less
blocklists.
Now, if you need to allow (whitelist) certain traffic, it depends on the application that has problems: If the application only needs
to connect to one or a few servers, with fixed IPs, then you should whitelist IPs. There are also some allow lists (e.g. for some
games) e.g. on iblocklist.com.
But if you want to connect to many other computers, where you don't know the IP, or where the IPs may be even changing
frequently, then you should do port whitelisting. Per default moblock whitelists the outgoing http (80) and https (443) ports, in
order to allow an easier websurfing. Keep in mind that malicious hosts may abuse these ports for their own purposes.
MoBlock closed the port for my torrent client. How do I open it again?
Don't do that! Why did you install MoBlock? Probably to check your torrent client's traffic. Right!? So you must not open that
port. Otherwise you could just uninstall Moblock, the effect would be nearly the same.
MoBlock does not close ports. It checks all traffic for certain IPs. So on the same port some traffic from good IPs is allowed, and
some from bad IPs is blocked. So you could just ignore the "closed port" warning.
What happens on your side is, that your torrent client tells an testhost to try to connect to you. Now, probably this testhost is in the
blocklist, so it gets blocked. This does not necessarily imply that this testhost is evil, because MoBlock from moblock-
deb.sourceforge.net has quite a paranoid default blocklist setup.
Solution 1:Only choose those blocklists that you really want to use.
Solution 2: Check the logfile in mobloquer when you do the port check in azureus. Some IP should get blocked then. Just allow
this IP.
tail -f /var/log/moblock.log
You can even get more information about what is being blocked. First you need to set in /etc/blockcontrol/blockcontrol.conf
and do a
Now you can see live the IP, the port, and protocol of blocked packets. Further you can see whether it is an incoming or outgoing
connection. With this information you can do the whitelisting that is described in other questions here.
When you have decided which blocklists you want to use you edit /etc/blockcontrol/blocklists.list
Uncomment the blocklists, that is, remove the hash (#) to enable certain blocklists or comment them out by adding a hash before
the blocklists to disable them.
Do a
WHITE_TCP_OUT="http https"
Do a
blockcontrol restart
when you have changed these settings.
See? By default port 80 and 443 (also called http and https) is configured, for outgoing connections. In effect, you can browse
blocked IPs, with firefox/konqueror or any other browser. If you have an application, that connects to many different IPs, then this
is the place to allow traffic for it. If you want to put a range of ports, use the format "startport:endport".
Do not add the privacy needing application's port here (for most people this will be torrent and other P2P tools)! It's the
point of MoBlock to check their traffic. Keep the list small, to get a better protection.
tail -f /var/log/moblock.log
If you want to whitelist the IP range "192.168.178.1 - 192.168.178.255 and the IP 123.123.123.123 add this:
192.168.178.1-192.168.178.255
123.123.123.123-123.123.123.123
Do a
2. Whitelist an IP
WHITE_IP_IN=""
WHITE_IP_OUT=""
WHITE_IP_FORWARD=""
Insert e.g. "192.168.178.1" to whitelist a single IP, or e.g. "192.168.178.0/24" to whitelist an IP range (192.168.178.0 -
192.168.178.255) or e.g. "192.168.0.0/16" to whitelist a bigger IP range (192.168.0.0 - 192.168.255.255)
Separate IP addresses with a whitespace. So you might have an entry like this:
WHITE_IP_IN="192.168.0.0/24"
WHITE_IP_OUT="192.168.0.0/24 123.123.123.123 234.234.234.234"
Do a
Alternatively you might use mobloquer for adding IPs to these variables.
IP_REMOVE=""
Separate phrases with a semicolon. So you might have an entry like this:
IP_REMOVE="google;yahoo;altavista"
Do a
How can I allow (whitelist) traffic for a combination of IPs, ports, or applications?
This is advanced stuff, and you won't find a complete answer here, sorry!
You can specify your own iptables rules in /etc/blockcontrol/iptables-custom-insert.sh. So you can whitelist any combination of
ports, IPs, and (if your kernel supports it) traffic that originates from certain users or applications. Please note that most kernels do
not support to whitelist traffic per application. This is a concept from the MS Windows world, and not very widespread in the
Linux world.
Some services (avahi, webmin, ftpd, sshd, ...) on my MoBlock machine aren't available to other
machines any more!
Allow all traffic to the port that the service is listening on for INCOMING connections
WHITE_TCP_IN="22"
If you only want to connect from certain hosts with specific IPs, you can allow all traffic from them by using the WHITE_IP_IN
variable or /etc/blockcontrol/allow.p2p.
Add to /etc/blockcontrol/iptables-custom-insert.sh:
And to /etc/blockcontrol/iptables-custom-remove.sh:
Replace [DEVICENAME] with the device name, e.g. eth0. Please have a look at man iptables to understand that stuff.
REJECT="1"
REJECT_OUT="REJECT"
You also might reduce the number of used blocklists, and allow traffic to certain IPs or ports. Have a look at the previous
questions to learn how.
INIT="0"
Now it will start automatically everytime you boot up and make a daily update of the blocklists - unless you configure
blockcontrol otherwise.
I tried to install MoBlock but I'm stuck on a screen with a Moblock warning
This is a so called "debconf" question. Read the text and confirm by pressing "OK". If your debconf interface doesn't support
your mouse, then you have to use your keyboard: hit the "TAB" key until "OK" is highlighted and then press "RETURN".
You may also do a "sudo dpkg-reconfigure debconf" and select "Gnome" as your interface. Then you can use your mouse for
debconf questions.
Netfilter support as kernel modules (recommended): Enable netfilter support in xconfig, or in the kernel source config file as
modules.
Netfilter support built-in directly in the kernel: Enable netfilter support in xconfig, or in the kernel source config file.
blockcontrol will then make sure that the netfilter support is available to MoBlock.
The number in the following setting enables (1) or disables (2) automatic updating.
CRON="1"
CRON="0"
Credits
Special thanks to pelle.k for the Ubuntu Forums thread this is derived from, the MoBlock Debian Packages maintainer jre, and
the contributors to MoBlock.
Further Reading
MoBlock thread where people have asked questions
MoBlock Homepage
MoBlock Debian Packages
Phoenix Labs (PeerGuardian)
Instructions for FireHOL users (scroll down)
CategoryInternet CategoryNetworking
Page History