Login to Edit

Ubuntu Documentation > Community Documentation > MoBlock

MoBlock
MoBlock is an application that enables you to block internet traffic based Contents
on large lists of IP address ranges in order to protect your privacy. It uses a
file in PeerGuardian format (guarding.p2p) or an ipfilter.dat. 1. Add Repository
1. Add the gpg key to the apt keyring
The new PeerGuardian Linux is based on the MoBlock fork NFBlock and 2. Add specific repository for release
2. Package Installation
blockcontrol. If you don't need a GUI you should use it (it's by the same
1. Compile a package
authors). Follow all instructions on this page, but install the packages 2. Install a package
"pgld" and "pglcmd" instead. The usage is nearly identical, just type 3. Configuration and Usage
"pglcmd" instead of "blockcontrol". The configuration files are in /etc/pgl/. 1. Start MoBlock
2. Stop MoBlock
You may also try iplist by uljanow. 3. Restart MoBlock
4. Rebuild Blocklist
Note: Since version 0.9 RC1 MoBlock no longer conflicts with other 5. Update Blocklists
firewalls. But you have to make sure that MoBlock is started after them and 6. MoBlock Status
7. Test MoBlock
the iptables rules don't get changed later. Also consider that routers can 8. Search in the blocklists
make software firewalls on your computer redundant. 4. Frequently Asked Questions (FAQ)
1. I cannot connect to the internet any
Add Repository more!
2. Some applications cannot connect to the
internet any more!
Add the gpg key to the apt keyring 3. MoBlock closed the port for my torrent
client. How do I open it again?
4. How do I find out which IP or port was
Type the following in terminal:
blocked?
5. How do I choose what blocklists to use?
gpg --keyserver keyserver.ubuntu.com --recv 9C0042C8 6. How can I allow (whitelist) traffic on
gpg --export --armor 9C0042C8 | sudo apt-key add - certain ports?
7. How can I allow (whitelist) traffic to
Add specific repository for release certain IPs?
8. How can I allow (whitelist) traffic for a
combination of IPs, ports, or
You have to add the repository sources to your /etc/apt/sources.list: applications?
9. Some services (avahi, webmin, ftpd,
gksu gedit /etc/apt/sources.list sshd, ...) on my MoBlock machine
aren't available to other machines any
In Kubuntu, replace gksu with kdesu. more!
10. Is it possible to specify a network
interface where moblock operates on
Add the two lines for your specific release (i.e. Ubuntu 9.04):
11. My internet is slow since I installed
MoBlock!
Ubuntu 10.10 ("Maverick Meerkat") 32-bit and 64-bit 12. How do I keep it installed, without
having it run at startup?
deb http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu 13. What happens when I install MoBlock
maverick main the first time?
deb-src http://ppa.launchpad.net/jre- 14. I tried to install MoBlock but I'm stuck
phoenix/ppa/ubuntu maverick main on a screen with a Moblock warning
15. I have a custom compiled kernel.
Moblock does not work.
Ubuntu 10.04 ("Lucid Lynx") 32-bit and 64-bit 16. How do I change automatic updating?
17. MoBlock fails to start or stop
deb http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu 5. Credits
lucid main 6. Further Reading
deb-src http://ppa.launchpad.net/jre-
phoenix/ppa/ubuntu lucid main

Ubuntu 9.10 ("Karmic Koala") 32-bit, 64-bit and lpia

deb http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu karmic main

deb-src http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu karmic main

Ubuntu 8.04 ("Hardy Heron") 32-bit and 64-bit

deb http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu hardy main

deb-src http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu hardy main
Special note for all Ubuntu distributions

Make sure that the "universe" section is activated in your sources.list. You need something like this (replace YOURDIST with
e.g. your distribution codename like hardy or karmic)

deb http://archive.ubuntu.com YOURDIST main universe

Package Installation
If you want a graphical interface install the packages "moblock", "blockcontrol" and "mobloquer". If you don't need a GUI you
should use the new PeerGuardian Linux instead (it's by the same authors). Follow all instructions on this page, but install the
packages "pgld" and "pglcmd" instead.

Via Synaptic Package Manager

Via aptitude

sudo aptitude update

sudo aptitude install moblock blockcontrol mobloquer

Compile a package
If you want to make your own MoBlock binary package from source and install it, you can use the following instructions. Most
users will not need to compile a package, but this can be used for unsupported architectures or for an older release (you may also
have to compile netfilter lib packages).

First, make sure you have added a source repository for your release. Then, run the following in terminal.

mkdir ~/moblock-deb-packages
cd ~/moblock-deb-packages

sudo aptitude update

sudo aptitude install fakeroot
sudo apt-get build-dep -y moblock blockcontrol mobloquer

apt-get source moblock blockcontrol mobloquer

cd ~/moblock-deb-packages/moblock-0.9~rc2
dpkg-buildpackage -uc -us -tc -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/moblock_0.9~rc2-*.deb

cd ~/moblock-deb-packages/blockcontrol-1.3
dpkg-buildpackage -uc -us -tc -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/blockcontrol_*_all.deb

cd ~/moblock-deb-packages/mobloquer-0.6
dpkg-buildpackage -uc -us -tc -rfakeroot
sudo dpkg -i ~/moblock-deb-packages/mobloquer_*.deb

sudo apt-get install -f

Some of these commands can be combined into one, but this lets you make changes like adding a patch if necessary and explains
the process better.

Explanation: in your home directory the directory moblock-deb-packages is created. Then the current working directory is
changed to it. The development dependencies of the packages moblock, blockcontrol and mobloquer are then installed. Then the
three source packages are downloaded. For the three packages one after the other the current working directory is changed to the
source directory, the source and binary packages are built and the package is installed. As a last step eventually missing
dependencies are installed.

Install a package
Use the instructions at the InstallingSoftware page under Installing downloaded packages

Configuration and Usage

blockcontrol features include:

start and stop MoBlock (including handling of the iptables rules if desired)
 update the specified blocklists from online sources
use local blocklists
modify the blocklist and whitelist IPs and ports

The logfiles are rotated daily.

In the default configuration MoBlock starts at system boot and some preconfigured blocklists are updated once a day. You can
specify the blocklists to use in /etc/blockcontrol/blocklists.list. Everything else (automatic start and update, iptables handling, IP
and port whitelisting) is configured in /etc/blockcontrol/blockcontrol.conf. This is important especially if MoBlock blocks sites that
it should not block. A list of all available configuration options is in /usr/lib/blockcontrol/blockcontrol.defaults (Don't edit the latter
file, but put your changes in /etc/blockcontrol/blockcontrol.conf.)

Start MoBlock

sudo blockcontrol start

Stop MoBlock

sudo blockcontrol stop

Restart MoBlock

sudo blockcontrol restart

Rebuild Blocklist

sudo blockcontrol reload

Moblock is then reloaded.

Update Blocklists

sudo blockcontrol update

Moblock is then reloaded.

MoBlock Status

sudo blockcontrol status

It receives the iptables settings and the status of the MoBlock daemon.

Test MoBlock

sudo blockcontrol test

The test has been known to have problems in older versions of MoBlock. Look at the log to check if you are unsure. This can be
done interactively (this command will show you the log in real-time).

tail -f /var/log/moblock.log

Search in the blocklists

sudo blockcontrol search PATTERN

Search for a pattern in your blocklists. This helps you to find out, which blocklist is responsible for a certain block.

Note: If you don't need a GUI you should use the new PeerGuardian Linux (it's by the same authors). The usage is nearly
identical, just type "pglcmd" instead of "blockcontrol". The configuration files are in /etc/pgl/.

Frequently Asked Questions (FAQ)

I cannot connect to the internet any more!
MoBlock may block your complete LAN, including your router, gateway and/or DNS server. Normally this traffic is whitelisted
automatically as long as you keep the default setting WHITE_LOCAL="1". But if you have problems follow these instructions:

You have to whitelist your LAN. If you don't know your local IP check it with "sudo ifconfig". It's the value after "inet addr:" of
the interface that you use for networking. For wired connections this might be "eth0", for wireless connections "wlan0".

Example: You found out that your IP is 192.168.0.39. Then your LAN will most probably cover the IP range 192.168.0.1-
192.168.0.255. Then you need to whitelist this range for incoming and outgoing connections.

Edit /etc/blockcontrol/blockcontrol.conf (in Kubuntu, replace gksu with kdesu)

gksu gedit /etc/blockcontrol/blockcontrol.conf

and add these lines:

WHITE_IP_IN="192.168.0.0/24"
WHITE_IP_OUT="192.168.0.0/24"

Do a

blockcontrol restart

when you have changed these settings.

Some applications cannot connect to the internet any more!

There are several possibilities to solve your problems:

1. Use less or other blocklists

2. Whitelist IPs
3. Whitelist ports
4. Advanced whitelisting

For each possibility you can learn how to do it in another question here on the page. But now, which is the best solution for you?

Generally you should first decide on the correct set of blocklists. The default setting is quite paranoid, so you may choose less
blocklists.

Now, if you need to allow (whitelist) certain traffic, it depends on the application that has problems: If the application only needs
to connect to one or a few servers, with fixed IPs, then you should whitelist IPs. There are also some allow lists (e.g. for some
games) e.g. on iblocklist.com.

But if you want to connect to many other computers, where you don't know the IP, or where the IPs may be even changing
frequently, then you should do port whitelisting. Per default moblock whitelists the outgoing http (80) and https (443) ports, in
order to allow an easier websurfing. Keep in mind that malicious hosts may abuse these ports for their own purposes.

MoBlock closed the port for my torrent client. How do I open it again?
Don't do that! Why did you install MoBlock? Probably to check your torrent client's traffic. Right!? So you must not open that
port. Otherwise you could just uninstall Moblock, the effect would be nearly the same.

MoBlock does not close ports. It checks all traffic for certain IPs. So on the same port some traffic from good IPs is allowed, and
some from bad IPs is blocked. So you could just ignore the "closed port" warning.

What happens on your side is, that your torrent client tells an testhost to try to connect to you. Now, probably this testhost is in the
blocklist, so it gets blocked. This does not necessarily imply that this testhost is evil, because MoBlock from moblock-
deb.sourceforge.net has quite a paranoid default blocklist setup.

Solution 1:Only choose those blocklists that you really want to use.

Solution 2: Check the logfile in mobloquer when you do the port check in azureus. Some IP should get blocked then. Just allow
this IP.

How do I find out which IP or port was blocked?

To learn, what gets blocked I recommend that you use mobloquer. There you see live every blocked IP and you can whitelist it
directly.

Or you follow the logfile live

tail -f /var/log/moblock.log

There you can see which IP gets blocked.

You can even get more information about what is being blocked. First you need to set in /etc/blockcontrol/blockcontrol.conf

LOG_IPTABLES="LOG --log-level info"

and do a

sudo blockcontrol restart

Then you can issue

sudo tail -f /var/log/syslog

Now you can see live the IP, the port, and protocol of blocked packets. Further you can see whether it is an incoming or outgoing
connection. With this information you can do the whitelisting that is described in other questions here.

How do I choose what blocklists to use?

To find out which blocklist is responsible for a blocked packet, have a look at the DESCRIPTION of the blocked packet in
/var/log/moblock.log and then issue

blockcontrol search DESCRIPTION

This will give you the name of the blocklist.

You can learn more about available blocklists in /usr/share/doc/blockcontrol/README.blocklists.gz or on http://iblocklist.com/.

When you have decided which blocklists you want to use you edit /etc/blockcontrol/blocklists.list

gksu gedit /etc/blockcontrol/blocklists.list

In Kubuntu, replace gksu with kdesu.

Uncomment the blocklists, that is, remove the hash (#) to enable certain blocklists or comment them out by adding a hash before
the blocklists to disable them.

Do a

sudo blockcontrol reload

when you have changed these settings.

How can I allow (whitelist) traffic on certain ports?

If the IP address that your application is trying to reach is in the blocklist, it will be blocked. But you can allow traffic for specific
ports. The ports 80 (http) and 443 (https) are whitelisted by default. To allow traffic also on other ports edit
/etc/blockcontrol/blockcontrol.conf (in Kubuntu, replace gksu with kdesu)

gksu gedit /etc/blockcontrol/blockcontrol.conf

and add/edit this line:

WHITE_TCP_OUT="http https"

Do a

blockcontrol restart
when you have changed these settings.

See? By default port 80 and 443 (also called http and https) is configured, for outgoing connections. In effect, you can browse
blocked IPs, with firefox/konqueror or any other browser. If you have an application, that connects to many different IPs, then this
is the place to allow traffic for it. If you want to put a range of ports, use the format "startport:endport".

List of port numbers at wikipedia.

Do not add the privacy needing application's port here (for most people this will be torrent and other P2P tools)! It's the
point of MoBlock to check their traffic. Keep the list small, to get a better protection.

How can I allow (whitelist) traffic to certain IPs?

Find out what you want to whitelist by checking /var/log/moblock.log. This can be done interactively (this command will show
you the log in real-time).

tail -f /var/log/moblock.log

There are 3 different ways:

1. Whitelist an IP range in allow.p2p

This is also the correct place for allow lists!

Edit /etc/blockcontrol/allow.p2p (in Kubuntu, replace gksu with kdesu)

gksu gedit /etc/blockcontrol/allow.p2p

If you want to whitelist the IP range "192.168.178.1 - 192.168.178.255 and the IP 123.123.123.123 add this:

192.168.178.1-192.168.178.255
123.123.123.123-123.123.123.123

Do a

sudo blockcontrol restart

when you have changed these settings.

2. Whitelist an IP

Edit /etc/blockcontrol/blockcontrol.conf (in Kubuntu, replace gksu with kdesu)

gksu gedit /etc/blockcontrol/blockcontrol.conf

To whitelist IPs add the following variables:

WHITE_IP_IN=""
WHITE_IP_OUT=""
WHITE_IP_FORWARD=""

Insert e.g. "192.168.178.1" to whitelist a single IP, or e.g. "192.168.178.0/24" to whitelist an IP range (192.168.178.0 -
192.168.178.255) or e.g. "192.168.0.0/16" to whitelist a bigger IP range (192.168.0.0 - 192.168.255.255)

Separate IP addresses with a whitespace. So you might have an entry like this:

WHITE_IP_IN="192.168.0.0/24"
WHITE_IP_OUT="192.168.0.0/24 123.123.123.123 234.234.234.234"

Do a

sudo blockcontrol restart

when you have changed these settings.

Alternatively you might use mobloquer for adding IPs to these variables.

Use a search phrase

You can also use a search phrase, such as Google, Hotmail, or an actual IP address range (as specified in the blocklists). Add the
following variable to /etc/blockcontrol/blockcontrol.conf:

IP_REMOVE=""

Separate phrases with a semicolon. So you might have an entry like this:

IP_REMOVE="google;yahoo;altavista"

Do a

sudo blockcontrol reload

when you have changed these settings.

How can I allow (whitelist) traffic for a combination of IPs, ports, or applications?
This is advanced stuff, and you won't find a complete answer here, sorry!

You can specify your own iptables rules in /etc/blockcontrol/iptables-custom-insert.sh. So you can whitelist any combination of
ports, IPs, and (if your kernel supports it) traffic that originates from certain users or applications. Please note that most kernels do
not support to whitelist traffic per application. This is a concept from the MS Windows world, and not very widespread in the
Linux world.

The file /usr/share/doc/blockcontrol/examples/iptables-custom-insert.sh yields some examples.

Some services (avahi, webmin, ftpd, sshd, ...) on my MoBlock machine aren't available to other
machines any more!
Allow all traffic to the port that the service is listening on for INCOMING connections

Edit /etc/blockcontrol/blockcontrol.conf (in Kubuntu, replace gksu with kdesu)

gksu gedit /etc/blockcontrol/blockcontrol.conf

E.g. for ssh allow all incoming traffic on port 22

WHITE_TCP_IN="22"

If you only want to connect from certain hosts with specific IPs, you can allow all traffic from them by using the WHITE_IP_IN
variable or /etc/blockcontrol/allow.p2p.

Is it possible to specify a network interface where moblock operates on

You can allow (whitelist) traffic on all other interfaces.

Add to /etc/blockcontrol/iptables-custom-insert.sh:

iptables -I INPUT -i [DEVICENAME] -j RETURN

iptables -I OUTPUT -o [DEVICENAME] -j RETURN
iptables -I FORWARD -i [DEVICENAME] -j RETURN
iptables -I FORWARD -o [DEVICENAME] -j RETURN

And to /etc/blockcontrol/iptables-custom-remove.sh:

iptables -D INPUT -i [DEVICENAME] -j RETURN

iptables -D OUTPUT -o [DEVICENAME] -j RETURN
iptables -D FORWARD -i [DEVICENAME] -j RETURN
iptables -D FORWARD -o [DEVICENAME] -j RETURN

Replace [DEVICENAME] with the device name, e.g. eth0. Please have a look at man iptables to understand that stuff.

My internet is slow since I installed MoBlock!

Indeed MoBlock blocks quite much traffic: That's its purpose, but it can be a pain, too. In default installations outgoing traffic is
REJECTED, if it is blocked by MoBlock. This makes sure that the sending application is notified immediately that its traffic was
blocked (in contrast to DROPped packets, where no notification is sent, so that the application waits quite long and then gives up).
So verify via

sudo blockcontrol show_config

if you have these settings:

REJECT="1"
REJECT_OUT="REJECT"

You also might reduce the number of used blocklists, and allow traffic to certain IPs or ports. Have a look at the previous
questions to learn how.

How do I keep it installed, without having it run at startup?

Edit /etc/blockcontrol/blockcontrol.conf:

gksu gedit /etc/blockcontrol/blockcontrol.conf

In Kubuntu, replace gksu with kdesu.

Set the following:

INIT="0"

What happens when I install MoBlock the first time?

First you will be prompted to configure MoBlock via some so called "debconf" questions. Then it will download some blocklists
for you during installation (be patient, this may take a while), and start it as a daemon.

Now it will start automatically everytime you boot up and make a daily update of the blocklists - unless you configure
blockcontrol otherwise.

I tried to install MoBlock but I'm stuck on a screen with a Moblock warning
This is a so called "debconf" question. Read the text and confirm by pressing "OK". If your debconf interface doesn't support
your mouse, then you have to use your keyboard: hit the "TAB" key until "OK" is highlighted and then press "RETURN".

You may also do a "sudo dpkg-reconfigure debconf" and select "Gnome" as your interface. Then you can use your mouse for
debconf questions.

I have a custom compiled kernel. Moblock does not work.

MoBlock depends on netfilter support in the kernel. There are two possibilities:

Netfilter support as kernel modules (recommended): Enable netfilter support in xconfig, or in the kernel source config file as
modules.

Netfilter support built-in directly in the kernel: Enable netfilter support in xconfig, or in the kernel source config file.

blockcontrol will then make sure that the netfilter support is available to MoBlock.

How do I change automatic updating?

MoBlock automatically updates its blocklists everyday. To configure automatic updating, edit //etc/blockcontrol/blockcontrol.conf:

gksu gedit /etc/blockcontrol/blockcontrol.conf

The number in the following setting enables (1) or disables (2) automatic updating.

CRON="1"

To disable automatic updating, set the following.

CRON="0"

MoBlock fails to start or stop

Have a look at /var/log/blockcontrol.log and /var/log/moblock.log. In most cases an incorrect configuration option is the reason. If
you don't understand the logfiles post them in the forum (please do this in CODE tags). If you think you messed thinks up you can
make a clean reinstall:

aptitude purge moblock blockcontrol mobloquer

aptitude install moblock blockcontrol mobloquer

Credits
Special thanks to pelle.k for the Ubuntu Forums thread this is derived from, the MoBlock Debian Packages maintainer jre, and
the contributors to MoBlock.

Further Reading
MoBlock thread where people have asked questions
MoBlock Homepage
MoBlock Debian Packages
Phoenix Labs (PeerGuardian)
Instructions for FireHOL users (scroll down)

CategoryInternet CategoryNetworking

MoBlock (last edited 2010-10-15 16:52:56 by jre-phoenix)

Page History