I have found a few sites that discuss setting up your computer to block ads by putting the ad server host names in your hosts file, and pointing them to 127.0.0.1 (loopback address obviously). Is there a simple way to set up my OpenWRT router to block or redirect hosts? It would be much easier to control everything on the router than keep track of each individual computer.

There is no /etc/hosts, but I know there is something ridiculously simple that I am missing....

Well, I plan to do a peerguardian package this week. That would help in this, too (as it has automatic updates to block certain ranges, anti-p2p, ads, spyware, edu, gov, etc).

Create a /etc/hosts, restart dnsmasq.

has somebody make a package for peerguardian 2?

or a way to block ip taken from blocklist.org?

Has anyone made a package for peerguardian yet? I would really like this package...

no one replies to me...

i think i'll make this package by myself.. but i need time to learn how

Hello,

i think theres an easy way: http://www.bluetack.co.uk/converter/index.php
With this you can create a script with the desired adresses(adware,spyware, antip2p...). It could look like this:

#!/bin/bash

# Create special MLDONKEY chain
iptables -t filter -N MLDONKEY
iptables -t filter -F MLDONKEY

# Create the logdrop chain to log & drop a packet
iptables -t filter -N MLDONKEY_LOGDROP
iptables -t filter -F MLDONKEY_LOGDROP
iptables -t filter -A MLDONKEY_LOGDROP -j LOG --log-prefix "MLDONKEY"
iptables -t filter -A MLDONKEY_LOGDROP -j DROP

# Jump to the special MLD chain at the end of the INPUT chain (commented out)
#iptables -t nat -A INPUT -j MLDONKEY

# List of ip ranges to ban
iptables -t filter -I INPUT 1 -s 4.18.162.102 -j MLDONKEY_LOGDROP
iptables -A OUTPUT -o eth0 -d 4.18.162.102 -j REJECTiptables -t filter -I INPUT 1 -s 4.36.44.3 -j MLDONKEY_LOGDROP
iptables -A OUTPUT -o eth0 -d 4.36.44.3 -j REJECTiptables -t filter -I INPUT 1 -s 4.38.98.140 -j MLDONKEY_LOGDROP
iptables -A OUTPUT -o eth0 -d 4.38.98.140 -j REJECTiptables -t filter -I INPUT 1 -s 4.65.105.109 -j MLDONKEY_LOGDROP
iptables -A OUTPUT -o eth0 -d 4.65.105.109 -j REJECTiptables -t filter -I INPUT 1 -s 12.3.249.0/24 -j MLDONKEY_LOGDROP
iptables -A OUTPUT -o eth0 -d 12.3.249.0/24 -j REJECTiptables -t filter -I INPUT 1 -s 12.14.172.204 -j MLDONKEY_LOGDROP
.... and so on

I think the iptables way is better because some sites are loading the ads from IP-adresses + iptables should be faster.
It would be great if someone makes a package with autoupdate functionality and stuff like that. I havent tried the way i mentioned above so i cant tell if its any good from experience but it looks like it would do the job.

One could just make a script that downloads the new list and updates the iptables and the it could be a cronjob. I can write the script.

How does peerguardian work? If one would put alot of entries in iptables there would be much load on the router I guess... If all traffic needs to be checked against the iptables script... If it is just as good to just dowlaod the list and convert it to a iptables script I will create the script.

Hmm where do I download the source list with all the ipadresses to block?

Hello Kaksi,

you can find the blacklists here -> http://www.bluetack.co.uk/modules.php?n … &cid=2
It would be great if one could choose the list(s) like only adtrackers+spy-/malware.
Its formatted like hostname:ip(adress/range)
If you do create a script id be happy to try it and give feedback.

I guess this is the one that is interresting: http://dialspace.dial.pipex.com/town/pi … level1.txt

but i think that there are so many ip to block that iptables cannot handle them...

there would be hundred of rules in iptables and openwrt is a small router not a linuxbox

If it cant handle the tables it wont be able to handle the hosts anyway -> we´re talking about thousands not hundreds of entrys.

(Last edited by Kasei on 9 Dec 2005, 11:55)

i don't know how many hosts peerguardian blocks, but i think they are hundreds

The best choice would be to set up a proxy server (preferably Squid on a separate Linux box) and force all of your web traffic through this proxy. There are several ways to block/filter content and addresses. I like squidguard and dansguardian. I also use adzapper and wrote a howto on it long long long ago:

http://voidmain.is-a-geek.net/redhat/za … apper.html

You can block all port 80 traffic at your firewall except for the proxy server. You can also set up a transparent proxy so that any port 80/443/etc traffic is automatically forwarded through the proxy by setting a simple iptables rule in your router. Just another idea in case you didn't think of it.

i've just installed peerguardian2 on my windowspc, i downloaded the blocking list(only the p2p list) there:

peerguardian.sourceforge.net/lists/p2p.php

it has 91715 line made so:

General Electric Company:3.0.0.0-3.255.255.255
s0-0.ciscoseattle.bbnplanet.net:4.0.25.146-4.0.25.148
p1-0.cisco.bbnplanet.net:4.0.26.14-4.0.29.24
Cisco Systems, Inc:4.2.144.64-4.2.144.95
Drug Enforcement Adm:4.2.144.224-4.2.144.231
US Dept of Treasury - TIGTA:4.2.144.248-4.2.144.255
City of League City:4.2.145.224-4.2.145.239
Verizon/Intel-San Jose:4.2.153.0-4.2.153.7
Cisco Systems, Inc:4.2.153.32-4.2.153.63
Werner Media:4.2.160.64-4.2.160.79
Pike County Auditor:4.2.161.0-4.2.161.7
Delaware MRDD:4.2.161.64-4.2.161.71
Brown County Commissioners/Georgetown:4.2.162.128-4.2.162.135
Portsmouth Municipal Court:4.2.162.144-4.2.162.151
City of Circleville:4.2.162.160-4.2.162.191
Cisco Systems, Inc:4.2.163.96-4.2.163.127

etc. etc.

i think it's impossible iptables (on openwrt) can handle a so big list of ip to drop...

Not only that but it doesn't make any sense to use iptables to block such a large list. A proxy does it with ease however.

if i put that list in host.deny?

proxy. I actually block ALL outbound traffic at the firewall with iptables (except for a whitelist of hosts). That takes just one rule. If someone needs to get to the Internet it is done through the proxy. The proxy can block such a large list with ease along with doing ad blocking and content filtering. You run into many problems trying to do this with iptables. I wrote a program to automatically add an iptables rule to block any host trying to hit me that is infected with Code Red or Nimda. When the list gets up to 10,000 it starts becoming a big performance hit. This is on a full fledged PC with 3 NICs rather than the limited resources of the WRT54G such devices. Then try manually manipulating the rules tables with such a large list.

but i need to block spy server for p2p software, i don't want to block http

i have p2p port enabled on my router but i want to block scanning my pcs from ips in http://peerguardian.sourceforge.net/lists/p2p.php

(Last edited by Giammin on 15 Dec 2005, 14:26)

I found that a peerguardian package has been commited to: https://dev.openwrt.org/browser/trunk/o … rguardian/

Is the a binary package for installation? Does it work?

You can download a ipkg package from peerguardian_1.5beta-1_mipsel.ipk (749K).

Please report if it's working for you.

i have this problem:

root@OpenWrt:~# ipkg install http://openwrt.inf.fh-brs.de/~olli/testing/mipsel/packages/peerguardian_1.5beta-1_mipsel.ipk
Downloading http://openwrt.inf.fh-brs.de/~olli/testing/mipsel/packages/peerguardian_1.5beta-1_mipsel.ipk
Installing peerguardian (1.5beta-1) to root...
Installing libpthread (0.9.27-1) to root...
Downloading http://downloads.openwrt.org/whiterussian/packages/libpthread_0.9.27-1_mipsel.ipk
Configuring libpthread
Configuring peerguardian
Successfully terminated.
root@OpenWrt:~# peerguardnf -h
peerguardnf: can't load library 'libstdc++.so.6'
root@OpenWrt:~# peerguardnf
peerguardnf: can't load library 'libstdc++.so.6'

is this package working as original peerguardian for linux?
where have i to put config files?

thanks!

Hello,

While compiling peerguardian for linux, I did not manage to make it link with the uClibc++, so please try to install the libstdc++ package.

I'll correct the dependency

I guess it does not work.

First I had to chmod +x on the init script. Then when I tried to start it I got:

all over the screen.

Pressing CTRL+C got me back to the console and I got: Problem with init file

Ideas? Do I have to configure it somehow?