How to control internet access for each program?












53















I would like to use a software to control which program may connect to the internet. I know that this behaviour is associated with the word "firewall", but some Linux users are very upset if somebody demands a Personal Firewall. I don't want to upset you by demand such a program.

I don't want to "secure ports" or other stuff a Personal Firewall promises on Windows. I looked into iptables but it does not fit my requirements.



I saw an excellent answer here ("How to block internet access for wine applications") but it's very uncomfortable to set this up.



Is there a software that asks for each program if it may access the internet?










share|improve this question

























  • on mac there is a software called little snitch that does this. I think there is a windows version also...

    – Alvar
    May 25 '11 at 13:47


















53















I would like to use a software to control which program may connect to the internet. I know that this behaviour is associated with the word "firewall", but some Linux users are very upset if somebody demands a Personal Firewall. I don't want to upset you by demand such a program.

I don't want to "secure ports" or other stuff a Personal Firewall promises on Windows. I looked into iptables but it does not fit my requirements.



I saw an excellent answer here ("How to block internet access for wine applications") but it's very uncomfortable to set this up.



Is there a software that asks for each program if it may access the internet?










share|improve this question

























  • on mac there is a software called little snitch that does this. I think there is a windows version also...

    – Alvar
    May 25 '11 at 13:47
















53












53








53


24






I would like to use a software to control which program may connect to the internet. I know that this behaviour is associated with the word "firewall", but some Linux users are very upset if somebody demands a Personal Firewall. I don't want to upset you by demand such a program.

I don't want to "secure ports" or other stuff a Personal Firewall promises on Windows. I looked into iptables but it does not fit my requirements.



I saw an excellent answer here ("How to block internet access for wine applications") but it's very uncomfortable to set this up.



Is there a software that asks for each program if it may access the internet?










share|improve this question
















I would like to use a software to control which program may connect to the internet. I know that this behaviour is associated with the word "firewall", but some Linux users are very upset if somebody demands a Personal Firewall. I don't want to upset you by demand such a program.

I don't want to "secure ports" or other stuff a Personal Firewall promises on Windows. I looked into iptables but it does not fit my requirements.



I saw an excellent answer here ("How to block internet access for wine applications") but it's very uncomfortable to set this up.



Is there a software that asks for each program if it may access the internet?







firewall iptables






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 13 '17 at 12:25









Community

1




1










asked May 25 '11 at 9:30









guerdaguerda

5611512




5611512













  • on mac there is a software called little snitch that does this. I think there is a windows version also...

    – Alvar
    May 25 '11 at 13:47





















  • on mac there is a software called little snitch that does this. I think there is a windows version also...

    – Alvar
    May 25 '11 at 13:47



















on mac there is a software called little snitch that does this. I think there is a windows version also...

– Alvar
May 25 '11 at 13:47







on mac there is a software called little snitch that does this. I think there is a windows version also...

– Alvar
May 25 '11 at 13:47












12 Answers
12






active

oldest

votes


















6














There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).






share|improve this answer


























  • I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)

    – guerda
    May 25 '11 at 11:13



















31














In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane



My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.



Have a look at the website ;-)



screen shot






share|improve this answer


























  • Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.

    – Aquarius Power
    Oct 8 '14 at 4:47











  • You can open feature request on Github (github.com/Douane/Douane/issues) :)

    – ZedTuX
    Oct 8 '14 at 9:50






  • 1





    uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.

    – azerafati
    Mar 14 '16 at 14:06











  • Still not package for Ubuntu?

    – Anwar
    Apr 30 '16 at 6:05











  • Nope, no none came to me regarding Ubuntu :(

    – ZedTuX
    Apr 30 '16 at 8:23



















22














I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.





  1. Create a group no-internet. Do not join this group



    sudo addgroup no-internet



  2. Add a rule to iptables that prevents all processes belonging to the group no-internet from using the network (use ip6tables to also prevent IPv6 traffic)



    iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP


  3. Execute sudo -g no-internet YOURCOMMAND instead of YOURCOMMAND.


You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding



%sudo     ALL=(:no-internet)      NOPASSWD: ALL


or something similar with sudo visudo



Use the iptables-save and iptables-restore to persist firewall rules.






share|improve this answer





















  • 1





    I tried your guide, sudo -g no-internet firefox connects faster than default one. It doesn't work.

    – kenn
    Apr 14 '14 at 12:22











  • @kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.

    – Tim
    Apr 14 '14 at 13:53











  • I rebooted and applied above rules again with no luck

    – kenn
    Apr 14 '14 at 14:32











  • It was sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP for me, sudo was required.

    – Artur Klesun
    Mar 29 '18 at 16:38













  • worked perfectly for me, even with firefox. thank you!

    – Kostanos
    Aug 8 '18 at 23:09



















4














There is already a firewall in Ubuntu, ufw, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.



If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:






share|improve this answer

































    3














    @psusi:
    I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy".
    Just saying "NO" without understanding a use case is somewhat narrow minded.
    http://www.debian-administration.org/article/120/Application_level_firewalling



    EDIT bodhi.zazen



    NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED



    SEE - http://www.spinics.net/lists/netfilter/msg49716.html




    commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph
    Hellwig Date: Sun Aug 14 17:33:59 2005 -0700



    [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner



    Rip out cmd/sid/pid matching since its unfixable broken and stands in the
    way of locking changes to tasklist_lock.



    Signed-off-by: Christoph Hellwig <hch@xxxxxx>
    Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>






    share|improve this answer





















    • 2





      To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set up iptables to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).

      – Eliah Kagan
      Mar 20 '13 at 13:50






    • 1





      iptables does NOT filter by application.

      – Panther
      Mar 20 '13 at 16:58











    • That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.

      – psusi
      Mar 21 '13 at 13:24






    • 3





      @psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)

      – Eliah Kagan
      Mar 21 '13 at 17:27













    • This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.

      – Panther
      Jul 20 '17 at 22:49





















    3














    Running a program under another user will use the config files for that user and not yours.



    Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo) with a modified environment, where your user is my_user and the app you want to run is my_app:





    # run app without access to internet
    sudo unshare -n sudo -u my_user my_app


    For more details see man unshare and this answer.



    Linux GUI firewall



    If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.






    share|improve this answer

































      2














      I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s.



      To recap what's in the post I linked above:




      1. Create the "internet" group by typing the following into a shell: sudo groupadd internet


      2. Ensure that the user who will run the script below is added to the sudo group in /etc/group. If you end up modifying this file, then you will need to log out and back in before the script below will work.



      3. Create a script containing the following, and run it:



        #!/bin/sh
        # Firewall apps - only allow apps run from "internet" group to run

        # clear previous rules
        sudo iptables -F

        # accept packets for internet group
        sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT

        # also allow local connections
        sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
        sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT

        # reject packets for other users
        sudo iptables -A OUTPUT -p tcp -j REJECT

        # open a shell with internet access
        sudo -g internet -s


      4. By running the above script, you will have a shell in which you can run applications with internet access.



      Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save and iptables-restore shell commands.






      share|improve this answer

































        1














        For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.



        The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.



        None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.



        See:



        http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/



        There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.






        share|improve this answer































          1














          It was in iptables up to kernel version 2.6.24
          If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it.
          for some reason they took it out, so no its not microsoft.
          http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html






          share|improve this answer
























          • debian-administration.org/?article=120

            – not really
            Sep 9 '13 at 4:12



















          1














          Try Leopard Flower. It has a GUI and per-application restrictions.






          share|improve this answer

































            0














            No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.



            If you don't like what a program is doing on the network when you run it, then don't run that program.






            share|improve this answer



















            • 6





              Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.

              – Eliah Kagan
              Mar 20 '13 at 13:40













            • And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!

              – Eliah Kagan
              Mar 20 '13 at 13:46











            • No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.

              – Panther
              Mar 20 '13 at 16:56











            • "Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.

              – trusktr
              Aug 3 '13 at 6:16



















            0














            Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:



            firejail --net=none firefox


            This command will start Firefox browser without internet access.
            Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.






            share|improve this answer























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "89"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f45072%2fhow-to-control-internet-access-for-each-program%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              12 Answers
              12






              active

              oldest

              votes








              12 Answers
              12






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              6














              There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).






              share|improve this answer


























              • I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)

                – guerda
                May 25 '11 at 11:13
















              6














              There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).






              share|improve this answer


























              • I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)

                – guerda
                May 25 '11 at 11:13














              6












              6








              6







              There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).






              share|improve this answer















              There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Jul 6 '14 at 12:35









              Sparhawk

              5,12862965




              5,12862965










              answered May 25 '11 at 11:02









              Florian DieschFlorian Diesch

              65.3k16162180




              65.3k16162180













              • I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)

                – guerda
                May 25 '11 at 11:13



















              • I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)

                – guerda
                May 25 '11 at 11:13

















              I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)

              – guerda
              May 25 '11 at 11:13





              I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)

              – guerda
              May 25 '11 at 11:13













              31














              In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane



              My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.



              Have a look at the website ;-)



              screen shot






              share|improve this answer


























              • Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.

                – Aquarius Power
                Oct 8 '14 at 4:47











              • You can open feature request on Github (github.com/Douane/Douane/issues) :)

                – ZedTuX
                Oct 8 '14 at 9:50






              • 1





                uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.

                – azerafati
                Mar 14 '16 at 14:06











              • Still not package for Ubuntu?

                – Anwar
                Apr 30 '16 at 6:05











              • Nope, no none came to me regarding Ubuntu :(

                – ZedTuX
                Apr 30 '16 at 8:23
















              31














              In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane



              My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.



              Have a look at the website ;-)



              screen shot






              share|improve this answer


























              • Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.

                – Aquarius Power
                Oct 8 '14 at 4:47











              • You can open feature request on Github (github.com/Douane/Douane/issues) :)

                – ZedTuX
                Oct 8 '14 at 9:50






              • 1





                uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.

                – azerafati
                Mar 14 '16 at 14:06











              • Still not package for Ubuntu?

                – Anwar
                Apr 30 '16 at 6:05











              • Nope, no none came to me regarding Ubuntu :(

                – ZedTuX
                Apr 30 '16 at 8:23














              31












              31








              31







              In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane



              My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.



              Have a look at the website ;-)



              screen shot






              share|improve this answer















              In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane



              My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.



              Have a look at the website ;-)



              screen shot







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Jan 19 at 11:34









              janot

              77111028




              77111028










              answered Aug 8 '13 at 17:56









              ZedTuXZedTuX

              51857




              51857













              • Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.

                – Aquarius Power
                Oct 8 '14 at 4:47











              • You can open feature request on Github (github.com/Douane/Douane/issues) :)

                – ZedTuX
                Oct 8 '14 at 9:50






              • 1





                uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.

                – azerafati
                Mar 14 '16 at 14:06











              • Still not package for Ubuntu?

                – Anwar
                Apr 30 '16 at 6:05











              • Nope, no none came to me regarding Ubuntu :(

                – ZedTuX
                Apr 30 '16 at 8:23



















              • Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.

                – Aquarius Power
                Oct 8 '14 at 4:47











              • You can open feature request on Github (github.com/Douane/Douane/issues) :)

                – ZedTuX
                Oct 8 '14 at 9:50






              • 1





                uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.

                – azerafati
                Mar 14 '16 at 14:06











              • Still not package for Ubuntu?

                – Anwar
                Apr 30 '16 at 6:05











              • Nope, no none came to me regarding Ubuntu :(

                – ZedTuX
                Apr 30 '16 at 8:23

















              Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.

              – Aquarius Power
              Oct 8 '14 at 4:47





              Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.

              – Aquarius Power
              Oct 8 '14 at 4:47













              You can open feature request on Github (github.com/Douane/Douane/issues) :)

              – ZedTuX
              Oct 8 '14 at 9:50





              You can open feature request on Github (github.com/Douane/Douane/issues) :)

              – ZedTuX
              Oct 8 '14 at 9:50




              1




              1





              uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.

              – azerafati
              Mar 14 '16 at 14:06





              uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.

              – azerafati
              Mar 14 '16 at 14:06













              Still not package for Ubuntu?

              – Anwar
              Apr 30 '16 at 6:05





              Still not package for Ubuntu?

              – Anwar
              Apr 30 '16 at 6:05













              Nope, no none came to me regarding Ubuntu :(

              – ZedTuX
              Apr 30 '16 at 8:23





              Nope, no none came to me regarding Ubuntu :(

              – ZedTuX
              Apr 30 '16 at 8:23











              22














              I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.





              1. Create a group no-internet. Do not join this group



                sudo addgroup no-internet



              2. Add a rule to iptables that prevents all processes belonging to the group no-internet from using the network (use ip6tables to also prevent IPv6 traffic)



                iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP


              3. Execute sudo -g no-internet YOURCOMMAND instead of YOURCOMMAND.


              You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding



              %sudo     ALL=(:no-internet)      NOPASSWD: ALL


              or something similar with sudo visudo



              Use the iptables-save and iptables-restore to persist firewall rules.






              share|improve this answer





















              • 1





                I tried your guide, sudo -g no-internet firefox connects faster than default one. It doesn't work.

                – kenn
                Apr 14 '14 at 12:22











              • @kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.

                – Tim
                Apr 14 '14 at 13:53











              • I rebooted and applied above rules again with no luck

                – kenn
                Apr 14 '14 at 14:32











              • It was sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP for me, sudo was required.

                – Artur Klesun
                Mar 29 '18 at 16:38













              • worked perfectly for me, even with firefox. thank you!

                – Kostanos
                Aug 8 '18 at 23:09
















              22














              I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.





              1. Create a group no-internet. Do not join this group



                sudo addgroup no-internet



              2. Add a rule to iptables that prevents all processes belonging to the group no-internet from using the network (use ip6tables to also prevent IPv6 traffic)



                iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP


              3. Execute sudo -g no-internet YOURCOMMAND instead of YOURCOMMAND.


              You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding



              %sudo     ALL=(:no-internet)      NOPASSWD: ALL


              or something similar with sudo visudo



              Use the iptables-save and iptables-restore to persist firewall rules.






              share|improve this answer





















              • 1





                I tried your guide, sudo -g no-internet firefox connects faster than default one. It doesn't work.

                – kenn
                Apr 14 '14 at 12:22











              • @kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.

                – Tim
                Apr 14 '14 at 13:53











              • I rebooted and applied above rules again with no luck

                – kenn
                Apr 14 '14 at 14:32











              • It was sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP for me, sudo was required.

                – Artur Klesun
                Mar 29 '18 at 16:38













              • worked perfectly for me, even with firefox. thank you!

                – Kostanos
                Aug 8 '18 at 23:09














              22












              22








              22







              I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.





              1. Create a group no-internet. Do not join this group



                sudo addgroup no-internet



              2. Add a rule to iptables that prevents all processes belonging to the group no-internet from using the network (use ip6tables to also prevent IPv6 traffic)



                iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP


              3. Execute sudo -g no-internet YOURCOMMAND instead of YOURCOMMAND.


              You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding



              %sudo     ALL=(:no-internet)      NOPASSWD: ALL


              or something similar with sudo visudo



              Use the iptables-save and iptables-restore to persist firewall rules.






              share|improve this answer















              I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.





              1. Create a group no-internet. Do not join this group



                sudo addgroup no-internet



              2. Add a rule to iptables that prevents all processes belonging to the group no-internet from using the network (use ip6tables to also prevent IPv6 traffic)



                iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP


              3. Execute sudo -g no-internet YOURCOMMAND instead of YOURCOMMAND.


              You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding



              %sudo     ALL=(:no-internet)      NOPASSWD: ALL


              or something similar with sudo visudo



              Use the iptables-save and iptables-restore to persist firewall rules.







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Jan 13 at 7:18









              Pablo Bianchi

              2,70421532




              2,70421532










              answered Feb 19 '14 at 12:17









              TimTim

              371138




              371138








              • 1





                I tried your guide, sudo -g no-internet firefox connects faster than default one. It doesn't work.

                – kenn
                Apr 14 '14 at 12:22











              • @kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.

                – Tim
                Apr 14 '14 at 13:53











              • I rebooted and applied above rules again with no luck

                – kenn
                Apr 14 '14 at 14:32











              • It was sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP for me, sudo was required.

                – Artur Klesun
                Mar 29 '18 at 16:38













              • worked perfectly for me, even with firefox. thank you!

                – Kostanos
                Aug 8 '18 at 23:09














              • 1





                I tried your guide, sudo -g no-internet firefox connects faster than default one. It doesn't work.

                – kenn
                Apr 14 '14 at 12:22











              • @kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.

                – Tim
                Apr 14 '14 at 13:53











              • I rebooted and applied above rules again with no luck

                – kenn
                Apr 14 '14 at 14:32











              • It was sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP for me, sudo was required.

                – Artur Klesun
                Mar 29 '18 at 16:38













              • worked perfectly for me, even with firefox. thank you!

                – Kostanos
                Aug 8 '18 at 23:09








              1




              1





              I tried your guide, sudo -g no-internet firefox connects faster than default one. It doesn't work.

              – kenn
              Apr 14 '14 at 12:22





              I tried your guide, sudo -g no-internet firefox connects faster than default one. It doesn't work.

              – kenn
              Apr 14 '14 at 12:22













              @kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.

              – Tim
              Apr 14 '14 at 13:53





              @kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.

              – Tim
              Apr 14 '14 at 13:53













              I rebooted and applied above rules again with no luck

              – kenn
              Apr 14 '14 at 14:32





              I rebooted and applied above rules again with no luck

              – kenn
              Apr 14 '14 at 14:32













              It was sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP for me, sudo was required.

              – Artur Klesun
              Mar 29 '18 at 16:38







              It was sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP for me, sudo was required.

              – Artur Klesun
              Mar 29 '18 at 16:38















              worked perfectly for me, even with firefox. thank you!

              – Kostanos
              Aug 8 '18 at 23:09





              worked perfectly for me, even with firefox. thank you!

              – Kostanos
              Aug 8 '18 at 23:09











              4














              There is already a firewall in Ubuntu, ufw, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.



              If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:






              share|improve this answer






























                4














                There is already a firewall in Ubuntu, ufw, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.



                If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:






                share|improve this answer




























                  4












                  4








                  4







                  There is already a firewall in Ubuntu, ufw, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.



                  If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:






                  share|improve this answer















                  There is already a firewall in Ubuntu, ufw, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.



                  If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Jan 13 at 7:15









                  Pablo Bianchi

                  2,70421532




                  2,70421532










                  answered Dec 23 '11 at 14:30









                  heiko81heiko81

                  1,85011220




                  1,85011220























                      3














                      @psusi:
                      I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy".
                      Just saying "NO" without understanding a use case is somewhat narrow minded.
                      http://www.debian-administration.org/article/120/Application_level_firewalling



                      EDIT bodhi.zazen



                      NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED



                      SEE - http://www.spinics.net/lists/netfilter/msg49716.html




                      commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph
                      Hellwig Date: Sun Aug 14 17:33:59 2005 -0700



                      [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner



                      Rip out cmd/sid/pid matching since its unfixable broken and stands in the
                      way of locking changes to tasklist_lock.



                      Signed-off-by: Christoph Hellwig <hch@xxxxxx>
                      Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
                      Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>






                      share|improve this answer





















                      • 2





                        To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set up iptables to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).

                        – Eliah Kagan
                        Mar 20 '13 at 13:50






                      • 1





                        iptables does NOT filter by application.

                        – Panther
                        Mar 20 '13 at 16:58











                      • That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.

                        – psusi
                        Mar 21 '13 at 13:24






                      • 3





                        @psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)

                        – Eliah Kagan
                        Mar 21 '13 at 17:27













                      • This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.

                        – Panther
                        Jul 20 '17 at 22:49


















                      3














                      @psusi:
                      I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy".
                      Just saying "NO" without understanding a use case is somewhat narrow minded.
                      http://www.debian-administration.org/article/120/Application_level_firewalling



                      EDIT bodhi.zazen



                      NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED



                      SEE - http://www.spinics.net/lists/netfilter/msg49716.html




                      commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph
                      Hellwig Date: Sun Aug 14 17:33:59 2005 -0700



                      [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner



                      Rip out cmd/sid/pid matching since its unfixable broken and stands in the
                      way of locking changes to tasklist_lock.



                      Signed-off-by: Christoph Hellwig <hch@xxxxxx>
                      Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
                      Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>






                      share|improve this answer





















                      • 2





                        To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set up iptables to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).

                        – Eliah Kagan
                        Mar 20 '13 at 13:50






                      • 1





                        iptables does NOT filter by application.

                        – Panther
                        Mar 20 '13 at 16:58











                      • That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.

                        – psusi
                        Mar 21 '13 at 13:24






                      • 3





                        @psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)

                        – Eliah Kagan
                        Mar 21 '13 at 17:27













                      • This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.

                        – Panther
                        Jul 20 '17 at 22:49
















                      3












                      3








                      3







                      @psusi:
                      I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy".
                      Just saying "NO" without understanding a use case is somewhat narrow minded.
                      http://www.debian-administration.org/article/120/Application_level_firewalling



                      EDIT bodhi.zazen



                      NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED



                      SEE - http://www.spinics.net/lists/netfilter/msg49716.html




                      commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph
                      Hellwig Date: Sun Aug 14 17:33:59 2005 -0700



                      [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner



                      Rip out cmd/sid/pid matching since its unfixable broken and stands in the
                      way of locking changes to tasklist_lock.



                      Signed-off-by: Christoph Hellwig <hch@xxxxxx>
                      Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
                      Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>






                      share|improve this answer















                      @psusi:
                      I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy".
                      Just saying "NO" without understanding a use case is somewhat narrow minded.
                      http://www.debian-administration.org/article/120/Application_level_firewalling



                      EDIT bodhi.zazen



                      NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED



                      SEE - http://www.spinics.net/lists/netfilter/msg49716.html




                      commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph
                      Hellwig Date: Sun Aug 14 17:33:59 2005 -0700



                      [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner



                      Rip out cmd/sid/pid matching since its unfixable broken and stands in the
                      way of locking changes to tasklist_lock.



                      Signed-off-by: Christoph Hellwig <hch@xxxxxx>
                      Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
                      Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Jul 20 '17 at 22:47









                      Panther

                      79.1k14157259




                      79.1k14157259










                      answered Mar 20 '13 at 13:36









                      user141987user141987

                      391




                      391








                      • 2





                        To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set up iptables to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).

                        – Eliah Kagan
                        Mar 20 '13 at 13:50






                      • 1





                        iptables does NOT filter by application.

                        – Panther
                        Mar 20 '13 at 16:58











                      • That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.

                        – psusi
                        Mar 21 '13 at 13:24






                      • 3





                        @psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)

                        – Eliah Kagan
                        Mar 21 '13 at 17:27













                      • This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.

                        – Panther
                        Jul 20 '17 at 22:49
















                      • 2





                        To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set up iptables to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).

                        – Eliah Kagan
                        Mar 20 '13 at 13:50






                      • 1





                        iptables does NOT filter by application.

                        – Panther
                        Mar 20 '13 at 16:58











                      • That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.

                        – psusi
                        Mar 21 '13 at 13:24






                      • 3





                        @psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)

                        – Eliah Kagan
                        Mar 21 '13 at 17:27













                      • This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.

                        – Panther
                        Jul 20 '17 at 22:49










                      2




                      2





                      To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set up iptables to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).

                      – Eliah Kagan
                      Mar 20 '13 at 13:50





                      To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set up iptables to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).

                      – Eliah Kagan
                      Mar 20 '13 at 13:50




                      1




                      1





                      iptables does NOT filter by application.

                      – Panther
                      Mar 20 '13 at 16:58





                      iptables does NOT filter by application.

                      – Panther
                      Mar 20 '13 at 16:58













                      That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.

                      – psusi
                      Mar 21 '13 at 13:24





                      That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.

                      – psusi
                      Mar 21 '13 at 13:24




                      3




                      3





                      @psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)

                      – Eliah Kagan
                      Mar 21 '13 at 17:27







                      @psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)

                      – Eliah Kagan
                      Mar 21 '13 at 17:27















                      This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.

                      – Panther
                      Jul 20 '17 at 22:49







                      This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.

                      – Panther
                      Jul 20 '17 at 22:49













                      3














                      Running a program under another user will use the config files for that user and not yours.



                      Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo) with a modified environment, where your user is my_user and the app you want to run is my_app:





                      # run app without access to internet
                      sudo unshare -n sudo -u my_user my_app


                      For more details see man unshare and this answer.



                      Linux GUI firewall



                      If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.






                      share|improve this answer






























                        3














                        Running a program under another user will use the config files for that user and not yours.



                        Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo) with a modified environment, where your user is my_user and the app you want to run is my_app:





                        # run app without access to internet
                        sudo unshare -n sudo -u my_user my_app


                        For more details see man unshare and this answer.



                        Linux GUI firewall



                        If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.






                        share|improve this answer




























                          3












                          3








                          3







                          Running a program under another user will use the config files for that user and not yours.



                          Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo) with a modified environment, where your user is my_user and the app you want to run is my_app:





                          # run app without access to internet
                          sudo unshare -n sudo -u my_user my_app


                          For more details see man unshare and this answer.



                          Linux GUI firewall



                          If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.






                          share|improve this answer















                          Running a program under another user will use the config files for that user and not yours.



                          Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo) with a modified environment, where your user is my_user and the app you want to run is my_app:





                          # run app without access to internet
                          sudo unshare -n sudo -u my_user my_app


                          For more details see man unshare and this answer.



                          Linux GUI firewall



                          If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Jan 14 at 15:57

























                          answered Feb 13 '17 at 21:34









                          ccpizzaccpizza

                          829912




                          829912























                              2














                              I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s.



                              To recap what's in the post I linked above:




                              1. Create the "internet" group by typing the following into a shell: sudo groupadd internet


                              2. Ensure that the user who will run the script below is added to the sudo group in /etc/group. If you end up modifying this file, then you will need to log out and back in before the script below will work.



                              3. Create a script containing the following, and run it:



                                #!/bin/sh
                                # Firewall apps - only allow apps run from "internet" group to run

                                # clear previous rules
                                sudo iptables -F

                                # accept packets for internet group
                                sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT

                                # also allow local connections
                                sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
                                sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT

                                # reject packets for other users
                                sudo iptables -A OUTPUT -p tcp -j REJECT

                                # open a shell with internet access
                                sudo -g internet -s


                              4. By running the above script, you will have a shell in which you can run applications with internet access.



                              Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save and iptables-restore shell commands.






                              share|improve this answer






























                                2














                                I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s.



                                To recap what's in the post I linked above:




                                1. Create the "internet" group by typing the following into a shell: sudo groupadd internet


                                2. Ensure that the user who will run the script below is added to the sudo group in /etc/group. If you end up modifying this file, then you will need to log out and back in before the script below will work.



                                3. Create a script containing the following, and run it:



                                  #!/bin/sh
                                  # Firewall apps - only allow apps run from "internet" group to run

                                  # clear previous rules
                                  sudo iptables -F

                                  # accept packets for internet group
                                  sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT

                                  # also allow local connections
                                  sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
                                  sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT

                                  # reject packets for other users
                                  sudo iptables -A OUTPUT -p tcp -j REJECT

                                  # open a shell with internet access
                                  sudo -g internet -s


                                4. By running the above script, you will have a shell in which you can run applications with internet access.



                                Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save and iptables-restore shell commands.






                                share|improve this answer




























                                  2












                                  2








                                  2







                                  I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s.



                                  To recap what's in the post I linked above:




                                  1. Create the "internet" group by typing the following into a shell: sudo groupadd internet


                                  2. Ensure that the user who will run the script below is added to the sudo group in /etc/group. If you end up modifying this file, then you will need to log out and back in before the script below will work.



                                  3. Create a script containing the following, and run it:



                                    #!/bin/sh
                                    # Firewall apps - only allow apps run from "internet" group to run

                                    # clear previous rules
                                    sudo iptables -F

                                    # accept packets for internet group
                                    sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT

                                    # also allow local connections
                                    sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
                                    sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT

                                    # reject packets for other users
                                    sudo iptables -A OUTPUT -p tcp -j REJECT

                                    # open a shell with internet access
                                    sudo -g internet -s


                                  4. By running the above script, you will have a shell in which you can run applications with internet access.



                                  Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save and iptables-restore shell commands.






                                  share|improve this answer















                                  I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s.



                                  To recap what's in the post I linked above:




                                  1. Create the "internet" group by typing the following into a shell: sudo groupadd internet


                                  2. Ensure that the user who will run the script below is added to the sudo group in /etc/group. If you end up modifying this file, then you will need to log out and back in before the script below will work.



                                  3. Create a script containing the following, and run it:



                                    #!/bin/sh
                                    # Firewall apps - only allow apps run from "internet" group to run

                                    # clear previous rules
                                    sudo iptables -F

                                    # accept packets for internet group
                                    sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT

                                    # also allow local connections
                                    sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
                                    sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT

                                    # reject packets for other users
                                    sudo iptables -A OUTPUT -p tcp -j REJECT

                                    # open a shell with internet access
                                    sudo -g internet -s


                                  4. By running the above script, you will have a shell in which you can run applications with internet access.



                                  Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save and iptables-restore shell commands.







                                  share|improve this answer














                                  share|improve this answer



                                  share|improve this answer








                                  edited Sep 21 '15 at 1:43

























                                  answered Aug 26 '15 at 19:12









                                  MarkMark

                                  1,1911014




                                  1,1911014























                                      1














                                      For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.



                                      The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.



                                      None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.



                                      See:



                                      http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/



                                      There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.






                                      share|improve this answer




























                                        1














                                        For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.



                                        The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.



                                        None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.



                                        See:



                                        http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/



                                        There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.






                                        share|improve this answer


























                                          1












                                          1








                                          1







                                          For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.



                                          The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.



                                          None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.



                                          See:



                                          http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/



                                          There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.






                                          share|improve this answer













                                          For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.



                                          The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.



                                          None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.



                                          See:



                                          http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/



                                          There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.







                                          share|improve this answer












                                          share|improve this answer



                                          share|improve this answer










                                          answered Mar 20 '13 at 17:06









                                          PantherPanther

                                          79.1k14157259




                                          79.1k14157259























                                              1














                                              It was in iptables up to kernel version 2.6.24
                                              If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it.
                                              for some reason they took it out, so no its not microsoft.
                                              http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html






                                              share|improve this answer
























                                              • debian-administration.org/?article=120

                                                – not really
                                                Sep 9 '13 at 4:12
















                                              1














                                              It was in iptables up to kernel version 2.6.24
                                              If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it.
                                              for some reason they took it out, so no its not microsoft.
                                              http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html






                                              share|improve this answer
























                                              • debian-administration.org/?article=120

                                                – not really
                                                Sep 9 '13 at 4:12














                                              1












                                              1








                                              1







                                              It was in iptables up to kernel version 2.6.24
                                              If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it.
                                              for some reason they took it out, so no its not microsoft.
                                              http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html






                                              share|improve this answer













                                              It was in iptables up to kernel version 2.6.24
                                              If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it.
                                              for some reason they took it out, so no its not microsoft.
                                              http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html







                                              share|improve this answer












                                              share|improve this answer



                                              share|improve this answer










                                              answered Sep 9 '13 at 4:11









                                              not reallynot really

                                              111




                                              111













                                              • debian-administration.org/?article=120

                                                – not really
                                                Sep 9 '13 at 4:12



















                                              • debian-administration.org/?article=120

                                                – not really
                                                Sep 9 '13 at 4:12

















                                              debian-administration.org/?article=120

                                              – not really
                                              Sep 9 '13 at 4:12





                                              debian-administration.org/?article=120

                                              – not really
                                              Sep 9 '13 at 4:12











                                              1














                                              Try Leopard Flower. It has a GUI and per-application restrictions.






                                              share|improve this answer






























                                                1














                                                Try Leopard Flower. It has a GUI and per-application restrictions.






                                                share|improve this answer




























                                                  1












                                                  1








                                                  1







                                                  Try Leopard Flower. It has a GUI and per-application restrictions.






                                                  share|improve this answer















                                                  Try Leopard Flower. It has a GUI and per-application restrictions.







                                                  share|improve this answer














                                                  share|improve this answer



                                                  share|improve this answer








                                                  edited Sep 6 '17 at 20:03









                                                  Eliah Kagan

                                                  82.3k22227367




                                                  82.3k22227367










                                                  answered Dec 13 '11 at 9:55









                                                  brandbrand

                                                  111




                                                  111























                                                      0














                                                      No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.



                                                      If you don't like what a program is doing on the network when you run it, then don't run that program.






                                                      share|improve this answer



















                                                      • 6





                                                        Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.

                                                        – Eliah Kagan
                                                        Mar 20 '13 at 13:40













                                                      • And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!

                                                        – Eliah Kagan
                                                        Mar 20 '13 at 13:46











                                                      • No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.

                                                        – Panther
                                                        Mar 20 '13 at 16:56











                                                      • "Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.

                                                        – trusktr
                                                        Aug 3 '13 at 6:16
















                                                      0














                                                      No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.



                                                      If you don't like what a program is doing on the network when you run it, then don't run that program.






                                                      share|improve this answer



















                                                      • 6





                                                        Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.

                                                        – Eliah Kagan
                                                        Mar 20 '13 at 13:40













                                                      • And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!

                                                        – Eliah Kagan
                                                        Mar 20 '13 at 13:46











                                                      • No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.

                                                        – Panther
                                                        Mar 20 '13 at 16:56











                                                      • "Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.

                                                        – trusktr
                                                        Aug 3 '13 at 6:16














                                                      0












                                                      0








                                                      0







                                                      No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.



                                                      If you don't like what a program is doing on the network when you run it, then don't run that program.






                                                      share|improve this answer













                                                      No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.



                                                      If you don't like what a program is doing on the network when you run it, then don't run that program.







                                                      share|improve this answer












                                                      share|improve this answer



                                                      share|improve this answer










                                                      answered May 25 '11 at 13:35









                                                      psusipsusi

                                                      31.2k15089




                                                      31.2k15089








                                                      • 6





                                                        Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.

                                                        – Eliah Kagan
                                                        Mar 20 '13 at 13:40













                                                      • And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!

                                                        – Eliah Kagan
                                                        Mar 20 '13 at 13:46











                                                      • No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.

                                                        – Panther
                                                        Mar 20 '13 at 16:56











                                                      • "Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.

                                                        – trusktr
                                                        Aug 3 '13 at 6:16














                                                      • 6





                                                        Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.

                                                        – Eliah Kagan
                                                        Mar 20 '13 at 13:40













                                                      • And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!

                                                        – Eliah Kagan
                                                        Mar 20 '13 at 13:46











                                                      • No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.

                                                        – Panther
                                                        Mar 20 '13 at 16:56











                                                      • "Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.

                                                        – trusktr
                                                        Aug 3 '13 at 6:16








                                                      6




                                                      6





                                                      Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.

                                                      – Eliah Kagan
                                                      Mar 20 '13 at 13:40







                                                      Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.

                                                      – Eliah Kagan
                                                      Mar 20 '13 at 13:40















                                                      And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!

                                                      – Eliah Kagan
                                                      Mar 20 '13 at 13:46





                                                      And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!

                                                      – Eliah Kagan
                                                      Mar 20 '13 at 13:46













                                                      No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.

                                                      – Panther
                                                      Mar 20 '13 at 16:56





                                                      No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.

                                                      – Panther
                                                      Mar 20 '13 at 16:56













                                                      "Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.

                                                      – trusktr
                                                      Aug 3 '13 at 6:16





                                                      "Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.

                                                      – trusktr
                                                      Aug 3 '13 at 6:16











                                                      0














                                                      Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:



                                                      firejail --net=none firefox


                                                      This command will start Firefox browser without internet access.
                                                      Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.






                                                      share|improve this answer




























                                                        0














                                                        Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:



                                                        firejail --net=none firefox


                                                        This command will start Firefox browser without internet access.
                                                        Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.






                                                        share|improve this answer


























                                                          0












                                                          0








                                                          0







                                                          Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:



                                                          firejail --net=none firefox


                                                          This command will start Firefox browser without internet access.
                                                          Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.






                                                          share|improve this answer













                                                          Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:



                                                          firejail --net=none firefox


                                                          This command will start Firefox browser without internet access.
                                                          Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.







                                                          share|improve this answer












                                                          share|improve this answer



                                                          share|improve this answer










                                                          answered Jan 26 at 12:27









                                                          Dimitar IIDimitar II

                                                          1314




                                                          1314






























                                                              draft saved

                                                              draft discarded




















































                                                              Thanks for contributing an answer to Ask Ubuntu!


                                                              • Please be sure to answer the question. Provide details and share your research!

                                                              But avoid



                                                              • Asking for help, clarification, or responding to other answers.

                                                              • Making statements based on opinion; back them up with references or personal experience.


                                                              To learn more, see our tips on writing great answers.




                                                              draft saved


                                                              draft discarded














                                                              StackExchange.ready(
                                                              function () {
                                                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f45072%2fhow-to-control-internet-access-for-each-program%23new-answer', 'question_page');
                                                              }
                                                              );

                                                              Post as a guest















                                                              Required, but never shown





















































                                                              Required, but never shown














                                                              Required, but never shown












                                                              Required, but never shown







                                                              Required, but never shown

































                                                              Required, but never shown














                                                              Required, but never shown












                                                              Required, but never shown







                                                              Required, but never shown







                                                              Popular posts from this blog

                                                              How to change which sound is reproduced for terminal bell?

                                                              Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

                                                              Can I use Tabulator js library in my java Spring + Thymeleaf project?