Linux Guide
BetBlocker on Linux runs as a systemd service and uses iptables/nftables for network-level DNS redirection.
Supported distributions: Ubuntu 22.04+, Debian 12+, Fedora 38+, RHEL/AlmaLinux 9+
Installation
Section titled “Installation”Requirements
Section titled “Requirements”- systemd (v245+)
- iptables or nftables
- x86-64 or aarch64 architecture
- Root or sudo access for installation
Install via package manager
Section titled “Install via package manager”Debian / Ubuntu (.deb):
# Download the .deb from your server or betblocker.comsudo apt install ./betblocker_1.2.3_amd64.debFedora / RHEL / AlmaLinux (.rpm):
sudo dnf install ./betblocker-1.2.3.x86_64.rpmThe package installs the agent binary, systemd unit files, and an AppArmor/SELinux policy profile. It does not enroll the device.
Enroll the device
Section titled “Enroll the device”After installing the package, enroll:
sudo betblocker-agent enroll \ --server https://betblocker.example.com \ --token tok_...The enrollment command:
- Registers the device with the server
- Downloads the blocklist
- Starts and enables the systemd service
Blocking begins immediately after enrollment.
Verify
Section titled “Verify”systemctl status betblocker-agent# Expected: active (running)
# Test a blocknslookup gamblingsite.com 127.0.0.53# Expected: NXDOMAINWhat the Service Does
Section titled “What the Service Does”systemd units
Section titled “systemd units”| Unit | Description |
|---|---|
betblocker-agent.service | Main agent process. Runs the local DNS resolver, blocklist matching, heartbeat, and event reporting. |
betblocker-watchdog.service | Monitors and restarts the agent. Mutual supervision — the agent also monitors the watchdog. |
Both units are enabled at boot and run as root (required for binding port 53 and managing iptables rules).
DNS redirection
Section titled “DNS redirection”The agent installs an iptables (or nftables) rule that redirects all outbound UDP/TCP port 53 traffic to 127.0.0.53:
# iptables rule installed by agent-t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.53:53-t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.53:53These rules persist across reboots via a betblocker-iptables.service unit that restores them on startup. The rules are applied for all users on the system.
File locations
Section titled “File locations”/usr/bin/betblocker-agent — agent binary/etc/betblocker/ — configuration directory/var/lib/betblocker/ — blocklist cache, device cert, local event DB/var/log/betblocker/ — log files/lib/systemd/system/ — unit files/etc/apparmor.d/usr.bin.betblocker — AppArmor profile (if AppArmor is active)AppArmor Profile Setup
Section titled “AppArmor Profile Setup”On Ubuntu and Debian, AppArmor is active by default and BetBlocker ships with a profile.
Check profile status
Section titled “Check profile status”sudo aa-status | grep betblocker# Expected: /usr/bin/betblocker-agent (enforce)If the profile is in complain mode instead of enforce
Section titled “If the profile is in complain mode instead of enforce”sudo aa-enforce /etc/apparmor.d/usr.bin.betblockersudo systemctl restart betblocker-agentIf you need to customise the profile
Section titled “If you need to customise the profile”The profile restricts file access to the directories listed above and network access to the configured server URL. If you are running BetBlocker in a non-standard configuration (e.g., custom installation paths), edit /etc/apparmor.d/usr.bin.betblocker and reload:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.betblockerSELinux Profile Setup
Section titled “SELinux Profile Setup”On Fedora, RHEL, and AlmaLinux, SELinux is active in enforcing mode. BetBlocker ships an SELinux policy module.
Install the policy module
Section titled “Install the policy module”The RPM package installs the module automatically. To verify:
semodule -l | grep betblocker# Expected: betblockerIf the module is not installed
Section titled “If the module is not installed”sudo semodule -i /usr/share/betblocker/betblocker.ppsudo restorecon -rv /usr/bin/betblocker-agent /etc/betblocker /var/lib/betblockerCheck for SELinux denials
Section titled “Check for SELinux denials”sudo ausearch -m avc -ts recent | grep betblockersudo journalctl -t setroubleshoot | grep betblockerIf you see denials that prevent the agent from functioning, generate a local policy to allow them:
sudo ausearch -m avc -ts recent | audit2allow -M betblocker-localsudo semodule -i betblocker-local.ppReport any denials that appear to be bugs — the upstream policy should cover all required access.
Updating
Section titled “Updating”The agent updates automatically via the package manager when a new version is available — if you have automatic updates enabled. The agent also self-updates when signalled by the server on heartbeat.
Manual update:
# Debian / Ubuntusudo apt update && sudo apt install betblocker
# Fedora / RHELsudo dnf update betblockerThe systemd units restart automatically after package update. Blocking is interrupted for only a few seconds during restart.
Uninstallation
Section titled “Uninstallation”Uninstallation requires an approved unenrollment first.
- Complete the unenrollment process in the web dashboard
- Remove the package:
Terminal window # Debian / Ubuntusudo apt remove --purge betblocker# Fedora / RHELsudo dnf remove betblocker
The purge/remove step cleans up iptables rules, removes the AppArmor/SELinux profile, and disables the systemd units.
Troubleshooting
Section titled “Troubleshooting”Service not starting
Section titled “Service not starting”# Check service status and recent logssystemctl status betblocker-agentjournalctl -u betblocker-agent -n 50 --no-pagerCommon causes:
-
Port 53 already in use:
systemd-resolvedor another local DNS service may be listening on 53.Terminal window ss -tulnp | grep :53If
systemd-resolvedis using port 53:Terminal window # Check if DNSStubListener is activegrep DNSStubListener /etc/systemd/resolved.conf# If not set or set to yes, disable it:echo "DNSStubListener=no" | sudo tee -a /etc/systemd/resolved.confsudo systemctl restart systemd-resolvedsudo systemctl restart betblocker-agent -
Cannot connect to server: check
BETBLOCKER_SERVER_URLin/etc/betblocker/config.tomland test connectivity:Terminal window curl -sv https://betblocker.example.com/health -
SELinux or AppArmor denial: see the relevant section above.
DNS not being redirected
Section titled “DNS not being redirected”# Check iptables rules are presentsudo iptables -t nat -L OUTPUT | grep DNAT
# If missing, restore themsudo systemctl restart betblocker-iptablesIf you are using nftables without iptables compatibility layer:
sudo nft list ruleset | grep betblockerThe agent auto-detects whether iptables or nftables is in use during installation.
Gambling site not blocked
Section titled “Gambling site not blocked”# Check what DNS server the agent is usingcat /etc/betblocker/config.toml | grep upstream_dns
# Test the local resolver directlydig @127.0.0.53 gamblingsite.com# Expected: NXDOMAIN
# Check the blocklist is currentsudo betblocker-agent status# Shows: blocklist version, last sync, entry countMulti-user systems
Section titled “Multi-user systems”On shared Linux machines, BetBlocker blocks DNS for all users — there is no per-user bypass. If a user has sudo access, they could potentially modify iptables rules. For maximum protection on shared systems, the AppArmor/SELinux profiles restrict the agent binary from modification, and the enrollment tier should be set to partner or authority so that the accountability structure is external to the machine.
Collecting a diagnostic bundle
Section titled “Collecting a diagnostic bundle”sudo betblocker-agent diagnostics --output /tmp/bb-diag.tar.gzThe bundle contains logs and configuration (secrets redacted). Share it with support if you cannot resolve an issue from the steps above.