Iptables

From twofo wiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

The first thing we need to do is create a user to run your DC++ client under. We do this because iptables doesn't currently support filtering by program, but it does support filtering by user, so we can create iptables rules that apply only to a specific user and run your DC++ client as that user. I'm using "dc" as my user, you can use whatever you want.


Make sure you specify a UID for your user, you will need this later on. I've chosen 1000 as my UID, you should use a number over 1000, that hasn't already been taken (check the /etc/passwd file for this).

adduser dc --uid 1000


Next we need to create the iptables rules.
Run the commands listed below, remembering to use the right UID.
sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 0.0.0.0-126.254.254.254 -j DROP
sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 127.0.0.2-137.204.254.254 -j DROP
sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 137.206.0.0-172.15.254.254 -j DROP
sudo iptables -A OUTPUT -m owner --uid-owner 1000 -m iprange --dst-range 172.32.0.0-254.254.254.254 -j DROP


For these filters to work you have to run your client as your DC++ user, to do this run the command shown below. Replace valknut with whichever DC++ client you use
su -c valknut dc


You should now have DC++ running as user dc and with external connections blocked. You may find you need to run
xhost +si:localuser:dc
in order to get the GUI stuff running properly from your normal user account (eg.
Xlib: connection to ":0.0" refused by server
or
Xlib: No protocol specified
type errors) If the problem persists try
xhost +
instead


NB. These rules will reset whenever you restart your computer, so it is probably wise to create a script with the actual iptables rules and set it to run on startup.

We can do this by using the iptables-save and iptables-restore commands. Once you have your iptables set up correctly, use the following command to save your configuration to a hidden file in your home directory
sudo iptables-save > ~/.iptables

And add the following command to your /etc/rc.local above the exit 0 line (or somewhere that will be run at startup)
sudo iptables-restore ~/.iptables

Retrieved from "https://twofo.co.uk//wiki/index.php?title=Iptables&oldid=2940"