How to block internet access for wine applications?

There's a nice tutorial on blocking any given program from accessing the Internet on the Ubuntu forums.

Steps

sudo addgroup no-internet  # Create group "no-internet"
sudo adduser $USER no-internet  # Add current user to no-internet

iptables rule to prevent that group from accessing the network

sudo iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP
sudo ip6tables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP # To also block IPv6 traffic

Process you don't want to have internet access using sg or sudo -g (execute command as different group ID):

sg no-internet -c "processFullPath args"

It basically involves creating a new group, denying it Internet access, and then running any program you want to restrict as that group ID. So in your case, you would just always run wine using the method described in the tutorial.


Make a group and become a member of it

addgroup wino

adduser $USER wino

Now enter an iptables rule to block that group from using the internet you can type this on the terminal and hit enter

iptables -A OUTPUT -m owner --gid-owner wino -j REJECT

To make this rule run after each reboot with systemd use iptables-persistent save from iptables-persistent package.

If using rc-local: You can put the rule in /etc/rc.local. Make sure the last line in that text file says exit 0.

Usage example:

sg wino "wine executablename.exe"

You need the " " and also type wine before the programs name.


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy"=dword:00000001
"ProxyEnable"=dword:00000001
"ProxyHttp.1.1"=dword:00000000
"ProxyOverride"="<local>"
"ProxyServer"="http://NonExistantProxyAddress:80"
"User Agent"="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"

to add to your wine (or playonlinux virtual drives) registry :

much simpler solution indeed than using groups (& does not prevent pol to connect, just the apps)

credits to http://ootput.wordpress.com/2011/06/06/block-wine-applications-from-the-internet/comment-page-1/

EDIT : waiting for the geek in the comment to add registry settings to block TCP, in the mean time : http://support.microsoft.com/en-us/kb/154596 (sounds like setting ports to zero or creating some config error will indeed block tcp/udp connections; but i haven't faced that issue quite yet, so i don't have the need for a work around)


Simply run app as:

systemd-run --scope -p IPAddressDeny=any wine myapp.exe

The IPAddressDeny=… allows to deny access to a set of IPv4 and IPv6 addresses. Special value any disables access to all of them for all IP-based protocols, like TCP, UDP, ICMP, SCTP, etc.

Example of usage (note: for this demo I had to fix wine ping, since it was timing out on me):

$ export WINEDEBUG=-all   # remove debug prints for the demo
$ wine ping localhost     # check that ping works
Pinging localhost [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time=1ms TTL=64

Ping statistics for 127.0.0.1
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 1ms, Average = 0ms
$ systemd-run --scope -p IPAddressDeny=any wine ping localhost   # well, not anymore
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to manage system services or other units.
Multiple identities can be used for authentication:
 1.  constantine
 2.  archie
Choose identity to authenticate as (1-2): 1
Password:
==== AUTHENTICATION COMPLETE ====
Running scope as unit: run-u28936.scope
Pinging localhost [127.0.0.1] with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 127.0.0.1
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

For the rest of the answer I gonna copy text from my other similar answer on unix.se:


Note: this gonna ask you for a password but the app gets launched as your user. Do not allow this to delude you into thinking that the command needs sudo, because that would cause the command to run under root, which hardly was your intention.

If you want to not enter the password (after all, you already own your resources, why would you need a password to limit them), you could use --user option, however for this to work you gonna need cgroupsv2 support enabled, which right now requires to boot with systemd.unified_cgroup_hierarchy kernel parameter.