Whenever I launch Skype on my computer, it gets banned from the university network within a few minutes; the ban expires again after a few minutes when I close Skype. This is likely due to the aggresive nature of Skype, maybe the firewalls think it is trying to do a DDoS attack. One of the known big issues of using Skype.

For Windows users, there are some known workaround to limit Skype that usually involve registry editing. These are however not available on Linux, unfortunately.

Therefore, I decided to play around with advanced iptables functionality. While you cannot match the originating process reliably (the owner match module seemed to include such functionality at some point, but it was deemed unreliable on multi-core systems). However, there are other and more efficient methods of achieving the same.

Here’s my setup:

# Add a system group for Skype
addgroup --system skype
# Override permissions of skype (assuming Debian package!)
dpkg-statoverride --update --add root skype 2755 `which skype`

And these are the iptables rules I use:

iptables -I OUTPUT -p tcp -m owner --gid-owner skype \
    -m multiport ! --dports 80,443 -j REJECT
iptables -I OUTPUT -p udp -m owner --gid-owner skype -j REJECT

They allow outgoing connections by Skype only on ports 80 and 443, which supposedly do not trigger the firewall (in fact, this filter is recommended by our network administration for Skype).

Or wrapped as pyroman (my firewall configuration tool; aptitude install pyroman) module:

"""
Skype restriction to avoid firewall block.

Raw iptables commands.
"""
iptables(Firewall.output, "-p tcp -m owner --gid-owner skype -m multiport ! --dports 80,443 -j %s" % Firewall.reject)
iptables(Firewall.output, "-p udp -m owner --gid-owner skype -j %s" % Firewall.reject)

which I’ve put just after the conntrack default module, as 05_skype.py

Update: Above approach may now fail with the error “Refusing to initialize GTK+”. This is because GTK will now refuse to run as setgid. Here is a fresh workaround:

As administrator, add users that are allowed to use skype to the skype group: adduser youruser skype. These users can now use the command sg skype skype (switch group to “skype”, and execute “skype”).

While above dpkg-statoverride is no longer necessary, it should prevent skype from running with incorrect privileges, so I’m keeping it for now.