From twofo wiki
Jump to navigation Jump to search

The first thing we need to do is create a user to run your DC++ client under. We do this because iptables doesn't currently support filtering by program, but it does support filtering by user, so we can create iptables rules that apply only to a specific user and run your DC++ client as that user. I'm using "dc" as my user, you can use whatever you want.

Make sure you specify a UID for your user, you will need this later on. I've chosen 1000 as my UID, you should use a number over 1000, that hasn't already been taken (check the /etc/passwd file for this).

adduser dc --uid 1000

Next we need to create the iptables rules.
Run the commands listed below, remembering to use the right UID.
sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range -j DROP
sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range -j DROP
sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range -j DROP
sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range -j DROP

For these filters to work you have to run your client as your DC++ user, to do this run the command shown below. Replace valknut with whichever DC++ client you use
su -c valknut dc

You should now have DC++ running as user dc and with external connections blocked. You may find you need to run
xhost +si:localuser:dc
in order to get the GUI stuff running properly from your normal user account (eg.
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified
type errors) If the problem persists try
xhost +

NB. These rules will reset whenever you restart your computer, so it is probably wise to create a script with the actual iptables rules and set it to run on startup.

We can do this by using the iptables-save and iptables-restore commands. Once you have your iptables set up correctly, use the following command to save your configuration to a hidden file in your home directory
sudo iptables-save > ~/.iptables

And add the following command to your /etc/rc.local above the exit 0 line (or somewhere that will be run at startup)
sudo iptables-restore ~/.iptables