iplist (8) | ipblock (8) | HOWTO: Graphical IP Blocker (GUI) | Blocking IP-addresses (CLI)
Blocking IP-addresses (CLI)
This article describes how to block lists with a front-end called IPblock. No knowledge of networking or firewalls are needed. Due to the way IPblock works it doesn't change the behavior of existing firewalls which makes it compatible with other firewall applications like shorewall or fireHOL. This howto is intended for Beginners and was tested on Ubuntu, Debian, Fedora and OpenSuSE.
Prerequisites and Installation
IPblock is part of the iplist package. iplist requires a 2.6.14 kernel or later with the option CONFIG_NETFILTER_XT_TARGET_NFQUEUE enabled (module or build-in). The download section contains installation instructions for various distributions.
Configuration
The configuration file is /etc/ipblock.conf. The default conf file can be found in /usr/share/doc/iplist/examples/.The Options are:
start IPblock at boot time, used by ipblock.init
iptables chain(s) of the filter table in which IPblock should block traffic. Values can be combinations of INPUT, OUTPUT and FORWARD.
iptables chain(s) of the filter table in which IPblock should allow traffic. Values can be combinations of INPUT, OUTPUT and FORWARD.
Use less memory by disabling BLOCK_LIST_* options, as a result only one queue is used for all 3 chains.
List of IPs that are blocked in all chains specified in IPTABLES_CHAIN_BLOCK. Lists can optionally be compressed with gzip. Available lists can be found in /etc/ipblock.lists. Filenames can be relative if they are in IPLIST_LISTDIR.
BLOCK_LIST_OUTPUT
BLOCK_LIST_FORWARD
Like BLOCK_LIST but the lists are only valid in the suffixed chain. Note that the chain must be defined in IPTABLES_CHAIN_BLOCK to use the option.
Accept connections from specified IP addresses in all chains specified in IPTABLES_CHAIN_ALLOW. Lists must be in p2p format and can optionally be compressed with gzip. List names can be relative if files are in IPLIST_LISTDIR.
ALLOW_LIST_OUTPUT
ALLOW_LIST_FORWARD
Like ALLOW_LIST but the lists are only valid in the suffixed chain. Note that the chain must be defined in IPTABLES_CHAIN_ALLOW to use the option.
IGN_UDP_OUTPUT
IGN_TCP_INPUT
IGN_UDP_INPUT
IGN_TCP_FORWARD
IGN_UDP_FORWARD
Ports that are ignored, divided by chains. Values are specified in /etc/services and can be service names (e.g. http), port numbers (e.g. 80) or port ranges (e.g. 20:30).
IGN_PROTO_OUTPUT
IGN_PROTO_FORWARD
Ignore specified protocols. See /etc/protocols.
Directory where lists are stored. Usually this is /var/cache/iplist.
URLs of lists which are needed for updating.
Location of the log file.
Specifies which packets are logged. Values are: all | match | none.
Use LOG target (-j LOG) of iptables for blocked and allowed packets. Log entries are written to syslog and are prefixed with "BLOCKED: " or "ALLOWED: ".
Verbose log and iplist output.
Used to keep track of the last update.
Values "" or "0" disable update. This option is used by the GUI and ipblock.cron
Proxy to use for updating. E.g. http_proxy="127.0.0.1:8118".
Start the GUI minimized if systray is supported.
Show the last entries of the log file when the GUI starts.
Auto-scroll log window.
Sets the Look and Feel, values are: System, Default, Gtk
GUI_WHITELIST_TEMP
Whitelists used by the GUI, these need to be set in ALLOW_LIST.
Using IPblock
Options:
-s start blocking
-d stop blocking
-r restart IPblock
-i restart iptables rules
-u update lists
-c convert lists to ipl format
-g start IPblock GUI
-l show status
-v show version and exit
-h show this help
Example - Blocking whole countries
Since version 0.18 country lists can be selected from ipblock.lists. There is no need to manually download or build country lists. There are pre-build country lists available on http://iplist.sf.net/countries/. webhosting.info provides a nearly complete list of IP-addresses (ip-to-country.csv.zip) based on countries, which can be loaded into iplist. Download:-O p2p -o /var/cache/iplist/usa.p2p.gz -
Using iplist directly
What does IPblock exaclty do?
Packets are filtered in the chains specified in IPTABLES_CHAIN_*. For each attempt to establish a new connection iplist looks at the source / destination address of the packet and decides based on the IPs in the lists whether to reject the connection (tcp-reset or icmp-port-unreachable) or to send it back to iptables to be handled by the rest of the iptables configuration. Packets in the INPUT chain are dropped by default. Nice side effects of rejecting packets rather than dropping are that there are no annoying timeouts if you try to access a blocked IP and it's hard to find out if the host which uses IPblock is online or uses a packet filter.