Whenever I launch Skype on my computer, it gets banned from the
university network within a few minutes; the ban expires again after a few
minutes when I close Skype. This is likely due to the aggresive nature of
Skype, maybe the firewalls think it is trying to do a DDoS attack. One of the
known big issues of using Skype.
For Windows users, there are some known workaround to limit Skype that
usually involve registry editing. These are however not available on Linux,
Therefore, I decided to play around with advanced iptables functionality.
While you cannot match the originating process reliably (the owner match module
seemed to include such functionality at some point, but it was deemed
unreliable on multi-core systems). However, there are other and more efficient
methods of achieving the same.
Here's my setup:
# Add a system group for Skype
addgroup --system skype
# Override permissions of skype (assuming Debian package!)
dpkg-statoverride --update --add root skype 2755 `which skype`
And these are the iptables rules I use:
iptables -I OUTPUT -p tcp -m owner --gid-owner skype \
-m multiport ! --dports 80,443 -j REJECT
iptables -I OUTPUT -p udp -m owner --gid-owner skype -j REJECT
They allow outgoing connections by Skype only on ports 80 and 443, which
supposedly do not trigger the firewall (in fact, this filter is recommended
by our network administration for Skype).
Or wrapped as pyroman
firewall configuration tool; aptitude install pyroman
Skype restriction to avoid firewall block.
Raw iptables commands.
iptables(Firewall.output, "-p tcp -m owner --gid-owner skype -m multiport ! --dports 80,443 -j %s" % Firewall.reject)
iptables(Firewall.output, "-p udp -m owner --gid-owner skype -j %s" % Firewall.reject)
which I've put just after the conntrack default module, as 05_skype.py
Update: Above approach may now fail with the error "Refusing to
initialize GTK+". This is because GTK will now refuse to run as setgid. Here is a fresh workaround:
As administrator, add users that are allowed to use skype to the skype group: adduser youruser skype.
These users can now use the command sg skype skype (switch group to "skype", and execute "skype").
While above dpkg-statoverride is no longer necessary, it should prevent skype from running
with incorrect privileges, so I'm keeping it for now.