Search:  
Gentoo Wiki

HOWTO_linblock

Contents

Links

Warning

As of 11/10/2007 perl the IPTables::IPv4 package would not install on 64-bit machines. I have created an alternative script that does about the same thing, but doesn't require perl. see Bash Alternative.

Stuff you need before starting

*I saved the file here: /sbin/linblock.pl
*chown root:root /sbin/linblock.pl
*chmod 0755 /sbin/linblock.pl
*run "CPAN", then type "install IPTables::IPv4"


huff. I stopped this install after I had problems with installing the perl module IPTables::IPv4 CPAN Output from "install IPTables::IPv4"

warning: "install IPTables::IPv4" cleared my ruleset on a remote box (default policy DROP)

Bash Alternative

Requirements

Variables

The beginning of this script sets up some variables:

Use

This is intended to be turned on during torrents then turned off at other times. You shouldn't be leaving ports open all the time, and you don't want to run iptables -L -v while you have this many items in the iptables list. I don't notice any real network slowdown from this, so I don't think you should either, as long as you have 20 MB of spare ram.

File: peerprotect.sh
#!/bin/bash
tmp=/tmp/blacklist/
lib=/var/lib/blacklist/
update="update"
portstart=40001
portstop=40010
start="start"
stop="stop"
repo="http://peerguardian.sourceforge.net/lists/"

if [ "$1" = "$update" ]; then
    echo "Getting rule updates"
    rm -fr $tmp
    wget $repo -P$tmp
    for i in $(grep '\"[0-9a-zA-Z]*.php\"' -ro $tmp/index.html | grep -o '[a-zA-Z0-9]*\.[a-zA-Z0-9]*')
    do
        echo $i
        wget "http://peerguardian.sourceforge.net/lists/"$i -P$tmp
    done
    
    find $tmp -name '*7z' -exec 7z e {} -o$tmp \;
    echo "*filter" > $tmp/filter
    echo "-N p2pfilter" >> $tmp/filter
    
    for i in $(ls $tmp/*txt) 
    do
        echo $i
        grep '[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}\(-[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.\)\?$' -o $i |\
        grep -o '[0-9.-]*' | while read file; do
        echo "-A p2pfilter -m iprange --src-range $file -j DROP" >> $tmp/filter; done;
    done
    echo "COMMIT" >> $tmp/filter
    mkdir -p $lib
    mv $tmp/filter $lib
    rm -fr $tmp
    exit

elif [ "$1" = "$start" ]; then
    echo "Adding rules"
    iptables -F p2pfilter &> /dev/null
    iptables -D INPUT -j p2pfilter &> /dev/null
    iptables -X p2pfilter &> /dev/null
    iptables-restore --noflush < $lib/filter
    iptables -A p2pfilter -p tcp --dport $portstart:$portstop -j ACCEPT
    iptables -A p2pfilter -p udp --dport $portstart:$portstop -j ACCEPT
    iptables -A INPUT  -j p2pfilter 

elif [ "$1" = "$stop" ]; then
    echo "Flushing"
    iptables -F p2pfilter &> /dev/null
    iptables -D INPUT -j p2pfilter &> /dev/null
    iptables -X p2pfilter &> /dev/null

else
    echo "Usage: $0 <command>"
    echo "commands:"
    echo "  update (updates the filter file from the online blocklists"
    echo "  start  (adds ips to drop list, as well as adds $portstart-$portstop to open ports)"
    echo "  stop   (opposite of start)"
fi
Retrieved from "http://www.gentoo-wiki.info/HOWTO_linblock"

Last modified: Fri, 05 Sep 2008 06:19:00 +0000 Hits: 1,782