iplist (8) | ipblock (8) | HOWTO: Graphical IP Blocker (GUI) | Blocking IP-addresses (CLI)

Blocking IP-addresses (CLI)

This article describes how to block lists with a front-end called IPblock. No knowledge of networking or firewalls are needed. Due to the way IPblock works it doesn't change the behavior of existing firewalls which makes it compatible with other firewall applications like shorewall or fireHOL. This howto is intended for Beginners and was tested on Ubuntu, Debian, Fedora and OpenSuSE.

Prerequisites and Installation

IPblock is part of the iplist package. iplist requires a 2.6.14 kernel or later with the option CONFIG_NETFILTER_XT_TARGET_NFQUEUE enabled (module or build-in). The download section contains installation instructions for various distributions.

Configuration

The configuration file is /etc/ipblock.conf. The default conf file can be found in /usr/share/doc/iplist/examples/.
The Options are:
AUTOSTART
start IPblock at boot time, used by ipblock.init
IPTABLES_CHAIN_BLOCK
iptables chain(s) of the filter table in which IPblock should block traffic. Values can be combinations of INPUT, OUTPUT and FORWARD.
IPTABLES_CHAIN_ALLOW
iptables chain(s) of the filter table in which IPblock should allow traffic. Values can be combinations of INPUT, OUTPUT and FORWARD.
LESS_MEMORY
Use less memory by disabling BLOCK_LIST_* options, as a result only one queue is used for all 3 chains.
BLOCK_LIST
List of IPs that are blocked in all chains specified in IPTABLES_CHAIN_BLOCK. Lists can optionally be compressed with gzip. Available lists can be found in /etc/ipblock.lists. Filenames can be relative if they are in IPLIST_LISTDIR.
BLOCK_LIST_INPUT
BLOCK_LIST_OUTPUT
BLOCK_LIST_FORWARD
Like BLOCK_LIST but the lists are only valid in the suffixed chain. Note that the chain must be defined in IPTABLES_CHAIN_BLOCK to use the option.
ALLOW_LIST
Accept connections from specified IP addresses in all chains specified in IPTABLES_CHAIN_ALLOW. Lists must be in p2p format and can optionally be compressed with gzip. List names can be relative if files are in IPLIST_LISTDIR.
ALLOW_LIST_INPUT
ALLOW_LIST_OUTPUT
ALLOW_LIST_FORWARD
Like ALLOW_LIST but the lists are only valid in the suffixed chain. Note that the chain must be defined in IPTABLES_CHAIN_ALLOW to use the option.
IGN_TCP_OUTPUT
IGN_UDP_OUTPUT
IGN_TCP_INPUT
IGN_UDP_INPUT
IGN_TCP_FORWARD
IGN_UDP_FORWARD
Ports that are ignored, divided by chains. Values are specified in /etc/services and can be service names (e.g. http), port numbers (e.g. 80) or port ranges (e.g. 20:30).
IGN_PROTO_INPUT
IGN_PROTO_OUTPUT
IGN_PROTO_FORWARD

Ignore specified protocols. See /etc/protocols.
IPLIST_LISTDIR
Directory where lists are stored. Usually this is /var/cache/iplist.
URL_FILE
URLs of lists which are needed for updating.
LOG_FILE
Location of the log file.
LOG_LEVEL
Specifies which packets are logged. Values are: all | match | none.
LOG_IPTABLES
Use LOG target (-j LOG) of iptables for blocked and allowed packets. Log entries are written to syslog and are prefixed with "BLOCKED: " or "ALLOWED: ".
VERBOSE
Verbose log and iplist output.
UPDATE_STAMP
Used to keep track of the last update.
UPDATE_INTERVAL
Values "" or "0" disable update. This option is used by the GUI and ipblock.cron
http_proxy
Proxy to use for updating. E.g. http_proxy="127.0.0.1:8118".
GUI_START_HIDDEN
Start the GUI minimized if systray is supported.
GUI_LAST_LOG_LINES
Show the last entries of the log file when the GUI starts.
GUI_AUTOSCROLL
Auto-scroll log window.
GUI_THEME
Sets the Look and Feel, values are: System, Default, Gtk
GUI_WHITELIST_PERM
GUI_WHITELIST_TEMP

Whitelists used by the GUI, these need to be set in ALLOW_LIST.

Using IPblock

Usage: ipblock [options]

Options:
-s start blocking
-d stop blocking
-r restart IPblock
-i restart iptables rules
-u update lists
-c convert lists to ipl format
-g start IPblock GUI
-l show status
-v show version and exit
-h show this help

Example - Blocking whole countries

Since version 0.18 country lists can be selected from ipblock.lists. There is no need to manually download or build country lists. There are pre-build country lists available on http://iplist.sf.net/countries/. webhosting.info provides a nearly complete list of IP-addresses (ip-to-country.csv.zip) based on countries, which can be loaded into iplist. Download:
wget http://ip-to-country.webhosting.info/downloads/ip-to-country.csv.zip
Let's say the whole US should be blocked. First we need to extract all the IP ranges of the USA into a separate list.
unzip -c ip-to-country.csv.zip | grep -i usa | iplist \
-O p2p -o /var/cache/iplist/usa.p2p.gz -
Then edit /etc/ipblock.conf and add usa.p2p.gz to the BLOCK_LIST
BLOCK_LIST="usa.p2p.gz"

Using iplist directly

What does IPblock exaclty do?

Packets are filtered in the chains specified in IPTABLES_CHAIN_*. For each attempt to establish a new connection iplist looks at the source / destination address of the packet and decides based on the IPs in the lists whether to reject the connection (tcp-reset or icmp-port-unreachable) or to send it back to iptables to be handled by the rest of the iptables configuration. Packets in the INPUT chain are dropped by default. Nice side effects of rejecting packets rather than dropping are that there are no annoying timeouts if you try to access a blocked IP and it's hard to find out if the host which uses IPblock is online or uses a packet filter.