Cfrgtkky

In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane

My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.

Have a look at the website ;-)

I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.

1. 
   

   Create a group no-internet. Do not join this group

   
   
   

   sudo addgroup no-internet
   
   

   
   


2. 
   

   Add a rule to iptables that prevents all processes belonging to the group no-internet from using the network (use ip6tables to also prevent IPv6 traffic)

   
   
   

   iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
   
   

   
   


3. Execute sudo -g no-internet YOURCOMMAND instead of YOURCOMMAND.

You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding

%sudo     ALL=(:no-internet)      NOPASSWD: ALL

or something similar with sudo visudo

Use the iptables-save and iptables-restore to persist firewall rules.

There is already a firewall in Ubuntu, ufw, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.

If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:

@psusi:
I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy".
Just saying "NO" without understanding a use case is somewhat narrow minded.
http://www.debian-administration.org/article/120/Application_level_firewalling

EDIT bodhi.zazen

NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED

SEE - http://www.spinics.net/lists/netfilter/msg49716.html

commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph
Hellwig Date: Sun Aug 14 17:33:59 2005 -0700

[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

Rip out cmd/sid/pid matching since its unfixable broken and stands in the
way of locking changes to tasklist_lock.

Signed-off-by: Christoph Hellwig <hch@xxxxxx>

Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>

Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>

Running a program under another user will use the config files for that user and not yours.

Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo) with a modified environment, where your user is my_user and the app you want to run is my_app:

# run app without access to internet

sudo unshare -n sudo -u my_user my_app

For more details see man unshare and this answer.

Linux GUI firewall

If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.

I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s.

To recap what's in the post I linked above:

1. Create the "internet" group by typing the following into a shell: sudo groupadd internet




2. Ensure that the user who will run the script below is added to the sudo group in /etc/group. If you end up modifying this file, then you will need to log out and back in before the script below will work.



3. 
   

   Create a script containing the following, and run it:

   
   
   

   #!/bin/sh
   
   # Firewall apps - only allow apps run from "internet" group to run
   
   
   
   # clear previous rules
   
   sudo iptables -F
   
   
   
   # accept packets for internet group
   
   sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
   
   
   
   # also allow local connections
   
   sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
   
   sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT
   
   
   
   # reject packets for other users
   
   sudo iptables -A OUTPUT -p tcp -j REJECT
   
   
   
   # open a shell with internet access
   
   sudo -g internet -s
   
   

   
   



4. By running the above script, you will have a shell in which you can run applications with internet access.

Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save and iptables-restore shell commands.

For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.

The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.

None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.

See:

http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/

There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.

It was in iptables up to kernel version 2.6.24
If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it.
for some reason they took it out, so no its not microsoft.
http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html

Try Leopard Flower. It has a GUI and per-application restrictions.

No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.

If you don't like what a program is doing on the network when you run it, then don't run that program.

Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:

firejail --net=none firefox

This command will start Firefox browser without internet access.
Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.