Notes on part 4
Part 4 chronicles my third attempt to build iplist on the Debian NSLU2. In previous attempts, I have been using libnfnetlink and libnetfilter_queue from the official Debian repository. However, iplist has failed to work due to “error: can’t set packet_copy mode”.
The Debian Etch repository held libnfnetlink version 0.0.16 and libnetfilter_queue version 0.0.12. The next step was to use latest versions from netfilter.org. Currently, these were libnfnetlink version 0.0.39 and libnetfilter_queue version 0.0.16.
The developer of iplist has kindly commented in my previous post (Chronicles of iplist in Debian NSLU2 part 2). He has posted a modified source code and a deb binary for the ARM platform. If you are only interested in getting iplist to work for your Debian NSLU2, you are recommended to try these directly (I am also in the process of trying the new build).
Install required tools
Creating updated Debian packages for the netfilter libraries were beyond my knowledge. Instead, I used the direct Linux build and install method. For this, I only needed the “build-essential” package. I have already installed this previously, but if you were starting from scratch, use this command to install build-essential package:
sudo apt-get install build-essential
Download and unpack the netfilter libraries source code
First, I recommend to work in a subdirectory.
mkdir ~/netfilter cd ~/netfilter
Download the source code using these commands;
wget http://ftp.netfilter.org/pub/libnfnetlink/\ libnfnetlink-0.0.39.tar.bz2 wget http://ftp.netfilter.org/pub/libnetfilter_queue/\ libnetfilter_queue-0.0.16.tar.bz2
Unpack the source code:
tar xvf libnfnetlink-0.0.39.tar.bz2 tar xvf libnetfilter_queue-0.0.16.tar.bz2
Build and install the netfilter libraries
Build and install netnfnetlink:
cd ~/netfilter/libnfnetlink-0.0.39/ ./configure --prefix=/usr make sudo make install
Build and install netnetfilter_queue:
cd ~/netfilter/libnetfilter_queue-0.0.16/ ./configure --prefix=/usr make sudo make install
You should keep these subdirectories and files. You could then uninstall (if there is need) with these commands:cd ~/netfilter/libnfnetlink-0.0.39/ sudo make uninstall cd ~/netfilter/libnetfilter_queue-0.0.16/ sudo make uninstall
Build and install iplist
The iplist source code can be found at the iplist website. Currently, the latest stable version is 0.23.
Again, I recommend to work in a temporary subdirectory.
mkdir ~/temp cd ~/temp
If you have previously downloaded the iplist source code, copy the archive into the “temp” subdirectory. Else, use this command to download it:
Extract the archive:
tar xvf iplist-0.23.tar.gz
Read the file “INSTALL” for build instructions:
cd iplist-0.23/ nano INSTALL
For the current situation, we would use the normal Linux build and install method.
make sudo make install
Again, please note the iplist build would take a while to complete (approximately 24 minutes on my slug). Also, remember that you need to remove the “swappiness=0″ setting, else it would fail from “out of memory” error.
Before we could run iplist, we need to create a directory and copy some files. This was required because the iplist “make install” command (from previous section) did not do this automatically.
sudo cp ipblock.conf /etc/ sudo cp ipblock.list /etc/ sudo mkdir /var/cache/iplist sudo cp allow.p2p /var/cache/iplist/
Now, you could customise the configuration in “/etc/ipblock.conf” to your preference. Please refer to Chronicles of iplist in Debian NSLU2 part 2 for more info.
To uninstall iplist afterwards, we simply removed related files.sudo rm /usr/sbin/ipblock sudo rm /usr/sbin/iplist sudo rm /etc/ipblock.conf sudo rm /etc/ipblock.list
And remove all existing and downloaded blocklists:sudo rm -r /var/cache/iplist/
Download block lists and start iplist
First, I tested downloading the preset block lists.
sudo ipblock -u
This took a few minutes. After it completed I checked the directory “/var/cache/iplist” to see if the preset block lists were fully downloaded.
You should be careful not to download the blocklists too often. Last I checked, you could get banned if you frivolously taxed the blocklists server.
Now, start iplist:
sudo ipblock -s
It took about 6 seconds, then the prompt returned.
Did it work?
Yes! It worked! There was no error message. As far as I could tell, the blocking was working perfectly, as can be seen in “/tmp/ipblock.log”.
Is it a success?
Well, not really. I started to discover a number of problems, which I am still investigating. Here is an example of a weird situation.
When I start ipblock:
sudo ipblock -s
If I now check the processes:
ps -ef | grep iplist
You would see four instances of:
iplist --daemon -v -f /tmp/ipblock.log -l match
However, at this time, all connections would be blocked. Even weirder, the existing ssh connection I used to start ipblock is still functional, but any other ssh connections become unresponsive (I presumed they are blocked). I checked a few time, and waited a long as 30 minutes but this situation appeared to continue indefinitely. During this time, I see only one message in “/var/log/syslog”
info: logging to /tmp/ipblock.log
However, when I run:
sudo ipblock -l
The command “hung” for about 15 minutes, and I could see a lot of disk activity. I presumed these were disk swapping due to large amount memory being used. But eventually, the command returned, showing the correct blocklists. And some messages appeared in “var/log/syslog” about the number of IP ranges being inserted.
From then onwards, iplist is working and blocking properly. So, my earlier statement about iplist working only occurred when I ran:
sudo ipblock -s
sudo ipblock -l
Not enough physical memory
Above was one example of what was not fully working, but there were others. One major problem is the lack of physical memory in the slug. The default unmodified slug has 32MB of SDRAM. When the full blocklists were loaded and iplist running normally:
total used free shared buffers cached Mem: 29 27 1 0 0 4 -/+ buffers/cache: 22 6 Swap: 384 44 339
Almost the entire physical memory, plus 44MB of disk swap were used. The slug was fully taxed and I was not sure how reliable it would be if it were to continously run in this state. Also, this did not include rtorrent up and running, and other convenient functions such as smb or nfs file sharing.
A solution here might be to convert to a fatslug, but that came with it own set of problems.
I am still investigating these issues. Actually, I have little idea about the behaviour of iplist when it is working correctly in a PC environment. Therefore, the next thing on my todo list is setting up iplist in an Ubuntu PC server and do some testing.