HOWTO_linblock
Contents |
Links
Warning
As of 11/10/2007 perl the IPTables::IPv4 package would not install on 64-bit machines. I have created an alternative script that does about the same thing, but doesn't require perl. see Bash Alternative.
Stuff you need before starting
- Setup IPTables (if you haven't already)
- Sufficent Memory for Iptables to hold the block list (you really don't want your router paging memory to disk it tends to S_L_O_W packet routing :-)
- emerge -vu perl
- Download linblock.pl here (GNU GPL)
*I saved the file here: /sbin/linblock.pl *chown root:root /sbin/linblock.pl *chmod 0755 /sbin/linblock.pl
- Install the perl module IPTables::IPv4
*run "CPAN", then type "install IPTables::IPv4"
huff. I stopped this install after I had problems with installing the perl module IPTables::IPv4 CPAN Output from "install IPTables::IPv4"
warning: "install IPTables::IPv4" cleared my ruleset on a remote box (default policy DROP)
Bash Alternative
Requirements
- iptables with iprange support:
- wget
- p7zip
Variables
The beginning of this script sets up some variables:
- Upload ports: Sets up a range of ports to upload from (40001 to 40010 to be exact). To change these ports, just change the portstart and portstop variables. If you don't want to share ( =( ) then just change the portstart and portstop variables to something obscure and equal to each other and then don't tell bittorrent about the ports.
- tmp: This is where the original 7zip files get downloaded and unzipped. It is deleted after the update completes
- lib: place where cache of block list is kept
- repo: base site with lists
Use
This is intended to be turned on during torrents then turned off at other times. You shouldn't be leaving ports open all the time, and you don't want to run iptables -L -v while you have this many items in the iptables list. I don't notice any real network slowdown from this, so I don't think you should either, as long as you have 20 MB of spare ram.
| File: peerprotect.sh |
#!/bin/bash
tmp=/tmp/blacklist/
lib=/var/lib/blacklist/
update="update"
portstart=40001
portstop=40010
start="start"
stop="stop"
repo="http://peerguardian.sourceforge.net/lists/"
if [ "$1" = "$update" ]; then
echo "Getting rule updates"
rm -fr $tmp
wget $repo -P$tmp
for i in $(grep '\"[0-9a-zA-Z]*.php\"' -ro $tmp/index.html | grep -o '[a-zA-Z0-9]*\.[a-zA-Z0-9]*')
do
echo $i
wget "http://peerguardian.sourceforge.net/lists/"$i -P$tmp
done
find $tmp -name '*7z' -exec 7z e {} -o$tmp \;
echo "*filter" > $tmp/filter
echo "-N p2pfilter" >> $tmp/filter
for i in $(ls $tmp/*txt)
do
echo $i
grep '[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}\(-[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.\)\?$' -o $i |\
grep -o '[0-9.-]*' | while read file; do
echo "-A p2pfilter -m iprange --src-range $file -j DROP" >> $tmp/filter; done;
done
echo "COMMIT" >> $tmp/filter
mkdir -p $lib
mv $tmp/filter $lib
rm -fr $tmp
exit
elif [ "$1" = "$start" ]; then
echo "Adding rules"
iptables -F p2pfilter &> /dev/null
iptables -D INPUT -j p2pfilter &> /dev/null
iptables -X p2pfilter &> /dev/null
iptables-restore --noflush < $lib/filter
iptables -A p2pfilter -p tcp --dport $portstart:$portstop -j ACCEPT
iptables -A p2pfilter -p udp --dport $portstart:$portstop -j ACCEPT
iptables -A INPUT -j p2pfilter
elif [ "$1" = "$stop" ]; then
echo "Flushing"
iptables -F p2pfilter &> /dev/null
iptables -D INPUT -j p2pfilter &> /dev/null
iptables -X p2pfilter &> /dev/null
else
echo "Usage: $0 <command>"
echo "commands:"
echo " update (updates the filter file from the online blocklists"
echo " start (adds ips to drop list, as well as adds $portstart-$portstop to open ports)"
echo " stop (opposite of start)"
fi
|
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should be using interactive floor plans and real estate agent tools.