linblock.pl is a Perl script that automatically downloads a list of IP address ranges that are to be blocked and installs them into the Linux kernel using the iptables interface. The script is intended to give Linux users the easy and automatic blocking that Windows users enjoy with programs such as PeerGuardain or Protowall. The intended audience for this script are BitTorrent tracker administrators who wish to use the 'antip2p' blocklist to deny access to undesired parties. However, it can also be used by any Linux user who wishes to have such blocking enabled on his machine.
Because it uses the iptables API directly, the script will not work with the older ipchains packet filtering code that was in older Linux kernels (2.2.x). Any kernel from the 2.4.x or 2.6.x series should be sufficient, as long as it has been configured to have the netfilter / iptables code enabled or loadable as modules. Almost all distributions will have this enabled.
You must have root access to modify the kernel's packet filtering configuration. Non-root users can only list the rules.
Iptables is specific to the Linux kernel. Other *nix-like systems (such as FreeBSD, NetBSD, OpenBSD, Solaris, Mac OS X, ...) all have their own packet filtering code, and will not work with linblock. Hopefully it goes without saying that there is absolutely no chance of getting this script to work under Windows.
linblock is a Perl script, and thus requires a working Perl installation. Any fairly recent version should work, such as 5.6.x or 5.8.x. The script does use some Perl modules that are not included with the standard distribution of Perl, and must be installed from CPAN (the comprehensive Perl archive network.) The documentation contains more information.
The linblock.pl script is self-documenting via embedded POD. To read the documentation, type the following in the same directory as the script file:
perldoc -F linblock.pl
Once you have all the required modules installed you may also use the following to view a summary of the command line options:
./linblock.pl --help
The HTML version of this documentation is available HERE. This page was generated with the pod2html command.
The latest version of the script can be downloaded HERE. (Downloaded 20469 times.)
linblock is released under the GNU GPL. Read the GPL FAQ for information on what this means.
If you have multiple interfaces and wish to limit the blocking to traffic on a single one, you can use the following command after running the script:
iptables -R INPUT 1 -i eth0 -j antip2p
If you've used a different chain name, substitute that for antip2p above. Note that to the kernel, aliases are not distinct interfaces. If you wish to limit blocking to a single IP address (for example, if the machine has more than one) then use the following command after running the script:
iptables -R INPUT 1 -d 10.1.1.2 -j antip2p
For more info on supplying interface and IP address options, see the iptables(8) manpage.
By default, filtering occurs against every packet sent and received. This is the "cautious default" because some people are not using iptables in a "stateful" mode. However, most people do load the ip_conntrack module which maintains state of all the connections. If this applies in your situation, you can reduce the filtering load significantly by only filtering packets in the NEW and RELATED states. The following command can be used after running the script to do this.
iptables -R INPUT 1 -m state --state NEW,RELATED -j antip2p
This is especially beneficial for machines that process many connections, such as BitTorrent trackers. Note again that this will only work if you have the ip_conntrack module loaded. If the module is loaded, you will have a file /proc/net/ip_conntrack.
It is possible to run the script multiple times if you have more than one list of addresses to block, however you must specify a unique chain name for each source. For example:
./linblock.pl -u source1 -c chain1 ./linblock.pl -u source2 -c chain2
Caution - using this script as above in an automated way may cause duplicate entries in the INPUT table! This will adversely affect performace, so if you decide to do this be sure to check manually and make sure there are no duplicates. Until the script supports this directly it's wise to avoid trying this.
Note: All of the above described features are scheduled to be incorporated into the main linblock.pl script in future versions, so as not to require use of extra iptables commands.
The script expects its input in the so-called "PeerGuardian" format. This consists of text lines of the format "description:nnn.nnn.nnn.nnn-mmm.mmm.mmm.mmm" where description is a textual name describing the block (not to include the ':' character) and the n's and m's are dotted quads representing the lower and upper values of the range, inclusive. If the range represents a single IP address (i.e. a /32) then the same address is repeated on both sides of the '-'.
When run, the script first attempts to flush existing rules created by a previous invocation. It does this by first removing all rules from the chain antip2p and then removing the first rule from the INPUT chain, if that rule includes a 'jump' target of antip2p. If a different chain name was specified with -c then that chain is used in place of antip2p everywhere. The script then recreates the rules in the antip2p chain, in sorted order from largest block to smallest block, e.g. /8, /9, /10, ... /31, /32. This is done in the hopes of minimizing the search length of a match. Finally, it re-inserts a rule at the beginning of the INPUT chain which jumps to the newly created antip2p chain. Thus the above commands under Miscellaneous Tips work by simply augmenting this jump rule. Any filtering conditions may be added to this rule and will apply to all of the filtering, since it is first checked before jumping to the antip2p chain.
Documentation for Perl can be found at Perldoc.com. Of particular interest for installing Perl modules is perlmodinstall (how to manually install a module), cpan (using the cpan command to automatically install modules), and CPAN.pm (more extensive documentation on how to use CPAN.) For information on the modules themselves, including documentation and download links, start at search.cpan.org.
Documentation for the Linux iptables/netfilter interface is available from netfilter.org. Among the documentation there you will find the netfilter FAQ as well as the Packet Filtering HOWTO. You may also want to read the IP Masquerade HOWTO for more general information on using iptables in a typical "firewall+NAT" configuration. Finally, the iptables(8) manpage might be useful to you.
Do not put undue faith in blocklists! Use of this script will not cause you to become invincible to prosecution. It may reduce the probability, but even that has yet to been shown to be the case. Ultimately you must be responsible for your actions on the internet and be prepared to deal with any repercussions. Testimonials of users who got caught doing something illicit despite using a blocklist are common amongst forums and discussion lists.
No blocklist will ever be perfect -- expect a number of false positives and false negatives. There is no reason to believe that a blocklist would or could ever list every party determined to monitor or report illegal behavior. Such a determined organization could use a number of methods to evade a blocklist: they could rent a server from (or colocate one with) an inconspicuous ISP; they could use a ordinary consumer-grade broadband connection for their monitoring; they could even use a dialup pool. The point is that just because you've blocked the IP range allocated to some organization doesn't mean that organization has no other way of connecting to the net. Do not attribute to the "blocklist fairies" inhuman abilities! Most blocklist entries are based on IP address registries or WHOIS data. Neither of these sources of data provide any guarantee of accuracy or coverage.
I provide no warranty whatsoever for your use of this script, nor should you expect one. You are ultimately responsible for all your actions.