PeerGuardian lists, imported to iptables. September 12, 2009

At home, I have a Smoothwall which connects my network to the internet. It’s a very robust replacement for these soho routers that everyone seems to use. It’s not quite as plug and play, but it works very well, and I have a lot more control over it.

I also run PeerGuardian, from Phoenix Labs, on my workstations to help block certain access to my machines. Peer Guardian is a great program, and most of the time it works very well. The problem is, sometimes it has issues, and to be honest, I always thought it’d be cleaner to put the firewalling, on my…. Firewall! So i set out to find a way to add peerguardian’s lists to my Smoothie.

There’s a Project called moblock, which is supposed to do this. Well, i’ve never seen it work. Thats not to say it doesnt work, i just couldnt get it working on my Smoothie. So for a very long time, i went on using peer guardian locally. Well recently I happened to be watching peer guardian run its update, and realized that it;s pulling its lists from an http address. Makes sense that i might be able to do the same, right? So i pointed my web browser there, and sure enough, i’m presented with a list of rules! Rules that dont match iptables, but look very easy to parse! So, I did just that. I started writing my own parser, and before long, i had a very long list of iptables compatible rules. By very long, I mean long! Over 226000 lines!

I decided that the best way to make this list easy to update was to create a new chain, called PGBLOCK, and put my rules in there. I also created a chain called PGALLOW which supersedes the block list. So i can add exceptions if i’d like.

So, on my Fedora 11 Test machine in added the following to /etc/sysconfig/iptables.

After the chain definitions (the :CHAINNAME [number:number] lines) i added 4 lines.
-N PGALLOW
-N PGBLOCK
-A INPUT -j PGALLOW
-A INPUT -j PGBLOCK

This adds the chains, and adds them to the iptables INPUT chain. This tells iptables to pass all inbound packets through my chains before they even touch any other rules.

At first, i tried entering all of my rules into the PGBLOCK chain. This worked, but delayed every inbound packet to the point that my network connection was almost useless.

So I made a slight change. I made a new chain for each class a. 253 in all (i skipped 10. and 127.), and then i setup more specific rules inside of the PGBLOCK chain. PGBLOCK now contains lines similar to:

-A INPUT -s 1.0.0.0/8 -j PGBLOCK1
-A INPUT -s 2.0.0.0/8 -j PGBLOCK2
..
-A INPUT -s 254.0.0.0/8 -j PGBLOCK254
-A INPUT -s 255.0.0.0/8 -j PGBLOCK255

Now each packet gets subjected to a couple hundred (or thousand) rules instead of 226000 of them.

Wondering if you can get ahold of my script?
Here it is:http://www.undrground.org/sites/undrground.org/files/getpg.tar.gz

Making this work is pretty easy.
There are a few variables at the top of the scipt that point to where you’d like some things to be saved. It needs a scratch directory for the lists it downloads. You need write access as the user youre running as, to the directory you’re running it from, and the lists directory, of course. But just set all that up, and run the script. It’ll generate a file called pg.firewall. Use that along with iptables-restore to build the firewall.

iptables-restore –noflush < pg.firewall Now, updating the firewall is a little more tricky, you need to flush the tables manually before re-importing. I did this with a perl script that looks something like: #!/usr/bin/perl foreach (1..255) { if ($_ eq 10 || $_ eq 127) { next; } system("/usr/sbin/iptables -F PGBLOCK$_"); } system("/usr/sbin/iptables-restore --noflush < /root/pg.firewall"); This flushes the tables, and then imports the new list. I hope this helps someone else out along the way. Enjoy! -War