How to block internet access to certain programs on Linux

linux iptables linux-networking

Recently, I have encountered a problem of limiting Internet Access to specific programs. Could anybody recommend a good way of doing that, without using any particular software?


Solution 1:

The solution for me happened to be straight forward.

  1. Create, validate new group; add required users to this group:
    • Create: groupadd no-internet
    • Validate: grep no-internet /etc/group
    • Add user: useradd -g no-internet username

      Note: If you're modifying already existing user you should run: usermod -a -G no-internet userName check with : sudo groups userName

  2. Create a script in your path and make it executable:
  • Create: nano /home/username/.local/bin/no-internet
  • Executable: chmod 755 /home/username/.local/bin/no-internet
  • Content:
#!/bin/bash
sg no-internet "$@"

  1. Add iptables rule for dropping network activity for group no-internet:

    • iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP

      Note: Don't forget to make the changes permanent, so it would be applied automatically after reboot. Doing it, depends on your Linux distribution.

  2. Check it, for example on Firefox by running: no-internet "firefox"

In case you would want to make an exception and allow a program to access local network:

  • iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT
  • iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.0/8 -j ACCEPT
  • iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP

NOTE: In case of spawning the rules will be maintained. For example, if you run a program with no-internet rule and that program will open browser window, still the rules will be applied.

Solution 2:

A more straightforward possibility: use firejail. It runs the application inside sandbox. At the sandbox, you can control the access of the application to any network or folder in your computer.

To execute a certain application without network access do following:

firejail --net=none <application>

In that case, "The sandbox looks like a computer without any network interfaces." (See Network Section in documentation)

For example, firejail --net=none firefox will start firefox without any network connection.

Installation

See the Installation documentation. You should install from the package system in your distribution, or better get the latest version LTS. (For example, this latest LTS version, 9.56.2, works also in Ubuntu 16.04.)

Solution 3:

From answer for How to disable Internet connection for a single process and Block network access of a process

Then, starting a process without network access is as simple as:

unshare -n program ...

This creates an empty network namespace for the process. That is, it is run with no network interfaces, including no loopback. In below example we add -r to run the program only after the current effective user and group IDs have been mapped to the superuser ones (avoid sudo):

unshare -r -n ping google.com

Related

Why is the maximum length of OpenWrt’s root password 8 characters?
Performance difference between ramfs and tmpfs
Linux find command - show progress
Who restarted my Windows server? [duplicate]
How can I let nginx log the used SSL/TLS protocol and ciphersuite?
Cannot install openjdk-8-jre-headless on Debian Jessie
Allow traffic to/from specific IP with iptables
How do I allow MySQL connections through SELinux?
How can I get Vagrant to start the server on startup?
Is a reboot required to refresh permissions after adding a user to a new group?
Illegal activities prevention system (child pornography, animal cruelty, …)
How do I exclude directories when listing files?