• NAME
• SYNOPSIS
• DESCRIPTION
• OPTIONS
• INSTALLATION
• AUTOMATIC UPDATES
• AUTHOR
• LICENSE

NAME

linblock.pl - Automatically download antip2p blacklist and install into Linux's IPTables interface

SYNOPSIS

./linblock.pl [ -c chain ] [ -u url | -i file ] [ -p prefix ] [ -l ] [ -r ] [ -f ] [ -q ] [ --help ] [ --version ]

DESCRIPTION

linblock.pl downloads a list of IP address ranges in the ``PeerGuardian'' format, and installs them into the Linux kernel using the IPTables interface. This effectively blocks access to the machine from any address listed in the blacklist file. When run it first clears the chain created by previous execution of the command, so it is suitable to be scheduled for automatic updates by 'cron' or similar.

OPTIONS

All command line options are optional.

-u url

Specifies the URL from which to retrieve the blacklist data. The default is http://www.bluetack.co.uk/config/antip2p.txt. The URL should point to a text file that contains IP ranges in the ``PeerGuardian'' format.

-i file

As an alternative to -u, you can specify a local file with this option from which to read the blacklist data. -u and -i are mutually exclusive.

-l

Enable logging of packets rejected by the antip2p blacklist. If not specified, there will be no entry in the system logs for dropped/rejected packets.

-f

Flush the antip2p chains and exit. This will remove all blacklist rules managed by this script, while leaving the rest of the configured IPTables rules intact. After running linblock.pl -f the IPTables configuration will return to the state it was in before any invocation of the script. Note: If you specify a non-default chain name when installing the rules you must specify it when flushing them as well.

-q

Be quiet. The script will not produce any output except warnings and fatal errors.

-r

Reject rather than Drop packets. The default action is to silently drop packets meeting the blacklist rules, which causes the remote connection to see no sign of a host -- the connection attempt will eventually time out. However, if Reject is chosen, an ICMP ``Host unreachable'' message will be immediately sent and the remote connection will immediately receive a ``connection refused'' message instead.

-p prefix

If logging is enabled (see -l) then this specifies the prefix to use in the logs. The default is 'antip2p'. Logging is handled by the kernel, so you will see reject/drop log entries in your /var/log/syslog or /var/log/messages file.

-c chain

Specifies the name of the chain to install. The default is antip2p. The chain's name has no effect on its functionality, other than the fact that it must be unique.

--help

Print command line options summary. For more detailed help, type perldoc -F linblock.pl.

--version

Prints the version information.

INSTALLATION

Note: You must be root for all of the module installation procedures in this section.

After downloading the script, make sure it has the ``x'' bits set: 'chmod 755 linblock.pl' or equivalent.

This script requires the Perl modules Net::IP, IPTables::IPv4, and LWP::Simple. You must install them from CPAN if they are not installed on your system already. To check if a module is installed, use the following command:

perl -MNet::IP -e 1

If the Net::IP module is not installed on your system you will get an error message, otherwise the command will silently complete.

To install a module from CPAN, use the following command:

perl -MCPAN -e 'install Net::IP'

This will launch CPAN and attempt to install the Net::IP module. If this is the first time that you have used CPAN, it will ask you a number of questions. You can simply press return to accept the default for most of them. The only questions that require interaction are selecting your continent and selecting a mirror site to download from. Repeat the above command for the rest of the modules you lack. Note: To install LWP::Simple use 'install LWP'.

If you have the 'cpan' command installed on your system you can try the following to install all the modules at once:

cpan -i LWP Net::IP IPTables::IPv4

If you have problems with CPAN not being able to retrieve things, and your firewall uses NAT or IP masquerading, then try setting the FTP_PASSIVE environment variable before running CPAN:

FTP_PASSIVE=1; export FTP_PASSIVE

If you find that this causes CPAN to work then you should either add that statement to your startup scripts, or select only http mirrors to avoid the issue. You can re-do the initial mirror selection process by running 'o conf init' from the CPAN shell, which you can run by supplying '-e shell' on the command line in place of '-e install ...'.

If some tests fail then CPAN will not install the module by default. Usually you can force the install and get a working module. To instruct CPAN to ignore failing tests, use 'force install ...' instead of 'install ...' in the command line. For more information about how to use CPAN, try 'perldoc CPAN.pm'.

Finally, if you cannot make CPAN work at all, you can install the modules by hand, as follows:

Download the module package from CPAN. You can obtain its URL by loading search.cpan.org in your browser and searching on the module name. Click on the distribution name (e.g. Net-IP-1.20) and there will be a ``download'' link for the .tar.gz package. Then execute the following sequence of commands. You would substitute the URL and name of the package you are installing, and if you downloaded the .tar.gz file with your browser you can skip the wget step.
wget http://search.cpan.org/CPAN/authors/id/M/MA/MANU/Net-IP-1.20.tar.gz
tar zxvf Net-IP-1.20.tar.gz
cd Net-IP-1.20/
perl Makefile.PL
make install

Repeat this procedure for the rest of the required modules.

AUTOMATIC UPDATES

linblock.pl was designed to run automatically for frequent updates. The easiest way to accomplish this is with the 'cron' utility found on most Linux systems. The script requires root privileges to modify the IPTables rules, thus it should be run from root's crontab. Log in as root (or type 'su' and supply the root password) and then type 'crontab -e'. This will bring up the crontab file in an editor. If you have not previously installed anything in this crontab, it will probably be blank.

To run the update once a day at midnight, add a line similar to the following:

0 0 * * * /usr/local/sbin/linblock.pl -q

The first five words on the line control when the job is run. In this case it means that it should be run on the 0th minute of the 0th hour of every day of every month -- i.e. daily at midnight. The command then follows on the rest of the line. You should replace the path in the example with the path where you've placed the script on your local machine, and supply the command-line parameters that you have chosen. -q is suggested, which will suppress the normal program output, instead only warnings and errors will be printed. 'cron' expects that all is successfull if there is no output, and will send you an email if there was any output.

Save the file and exit the editor, and you should see crontab report that it has installed the crontab file.

AUTHOR

Brian Dessent <brian AT dessent DOT net>

See also: http://dessent.net/linblock/

LICENSE

Copyright (C) 2004 Brian Dessent <brian AT dessent DOT net>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.