Difference between revisions of "Iptables"

From twofo wiki
Jump to navigation Jump to search
Line 11: Line 11:
<span style="color:red">sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 0.0.0.0-126.254.254.254 -j DROP</span><br>
<span style="color:red">sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 0.0.0.0-126.254.254.254 -j DROP</span><br>
<span style="color:red">sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 127.0.0.2-137.204.254.254 -j DROP</span><br>
<span style="color:red">sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 127.0.0.2-137.204.254.254 -j DROP</span><br>
<span style="color:red">sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 137.206.0.0-254.254.254.254 -j DROP</span>
<span style="color:red">sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 137.206.0.0-172.15.254.254 -j DROP</span>
<span style="color:red">sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 172.32.0.0-254.254.254.254 -j DROP</span>





Revision as of 13:18, 30 September 2013

The first thing we need to do is create a user to run your DC++ client under. We do this because iptables doesn't currently support filtering by program, but it does support filtering by user, so we can create iptables rules that apply only to a specific user and run your DC++ client as that user. I'm using "dc" as my user, you can use whatever you want.


Make sure you specify a UID for your user, you will need this later on. I've chosen 1000 as my UID, you should use a number over 1000, that hasn't already been taken (check the /etc/passwd file for this).

adduser dc --uid 1000


Next we need to create the iptables rules.
Run the commands listed below, remembering to use the right UID.
sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 0.0.0.0-126.254.254.254 -j DROP
sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 127.0.0.2-137.204.254.254 -j DROP
sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 137.206.0.0-172.15.254.254 -j DROP sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 172.32.0.0-254.254.254.254 -j DROP


For these filters to work you have to run your client as your DC++ user, to do this run the command shown below. Replace valknut with whichever DC++ client you use
su -c valknut dc


You should now have DC++ running as user dc and with external connections blocked. You may find you need to run
xhost +si:localuser:dc
in order to get the GUI stuff running properly from your normal user account (eg.
Xlib: connection to ":0.0" refused by server
or
Xlib: No protocol specified
type errors) If the problem persists try
xhost +
instead


NB. These rules will reset whenever you restart your computer, so it is probably wise to create a script with the actual iptables rules and set it to run on startup.

We can do this by using the iptables-save and iptables-restore commands. Once you have your iptables set up correctly, use the following command to save your configuration to a hidden file in your home directory
sudo iptables-save > ~/.iptables

And add the following command to your /etc/rc.local above the exit 0 line (or somewhere that will be run at startup)
sudo iptables-restore ~/.iptables