Linux : restricting outgoing on an application basis

As far as I know, the only way to restrict Internet connectivity on an application-by-application basis is through SELinux capabilities, and it involves giving applications that must have Internet connectivity additional privileges. I doubt that giving Firefox additional privileges will contribute to security, and an application that tries to access the Internet could do it through Firefox or wget or some other “legitimate” application anyway. Furthermore, for scripts, I think you'd have to give the capabilities to the interpreter (e.g. /usr/bin/python) which doesn't discriminate in any useful way.

You can restrict Internet connectivity on a user-by-user basis; see bind software to different network interfaces and Dual network connection for examples. Or you can run applications that you don't want to grant Internet connectivity to in a lightweight virtual environment such as LXC.


EDIT: this solution doesn't work since kernel 2.6.14 . See Gilles comment.

You can use iptables rules in the output chain matching processes names with the --cmd-owner option. Something like:

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m owner --cmd-owner "firefox-bin" -j ACCEPT
iptables -A OUTPUT -m owner --cmd-owner "ssh" -j ACCEPT
iptables -A OUTPUT -j DENY

With that you permit output traffic from firefox-bin, ssh and established connections.