How to control internet access for each program?

Solution 1:

NOTE: Douane is no longer actively developed and is reported to not work in later Ubuntu versions. This solution may not work, but the answer is kept as is for historical reasons.

In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane

My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.

Have a look at the website ;-)

screen shot

Solution 2:

I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.

  1. Create a group no-internet. Do not join this group

    sudo addgroup no-internet
    
  2. Add a rule to iptables that prevents all processes belonging to the group no-internet from using the network (use ip6tables to also prevent IPv6 traffic)

    sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
    
  3. Execute sudo -g no-internet YOURCOMMAND instead of YOURCOMMAND.

You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding

%sudo     ALL=(:no-internet)      NOPASSWD: ALL

or, something similar with sudo visudo

Use the iptables-save and iptables-restore to persist firewall rules.

Solution 3:

Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:

firejail --net=none firefox

This command will start Firefox browser without internet access. Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.

Solution 4:

There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).

Solution 5:

There is already a firewall in Ubuntu, ufw, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.

If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre: