How to control internet access for each program?
Solution 1:
NOTE: Douane is no longer actively developed and is reported to not work in later Ubuntu versions. This solution may not work, but the answer is kept as is for historical reasons.
In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane
My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.
Have a look at the website ;-)
Solution 2:
I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.
-
Create a group
no-internet
. Do not join this groupsudo addgroup no-internet
-
Add a rule to iptables that prevents all processes belonging to the group
no-internet
from using the network (useip6tables
to also prevent IPv6 traffic)sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
- Execute
sudo -g no-internet YOURCOMMAND
instead ofYOURCOMMAND
.
You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding
%sudo ALL=(:no-internet) NOPASSWD: ALL
or, something similar with sudo visudo
Use the iptables-save
and iptables-restore
to persist firewall rules.
Solution 3:
Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:
firejail --net=none firefox
This command will start Firefox browser without internet access. Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.
Solution 4:
There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).
Solution 5:
There is already a firewall in Ubuntu, ufw
, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.
If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre: