1

I've followed this guide: How to block internet access for wine applications?

And created the following rules:

sudo addgroup no-internet  # Create group "no-internet"
sudo adduser $USER no-internet  # Add current user to no-internet
sudo iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP
sudo ip6tables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP # To also block IPv6 traffic

I then run the WINE app: sg no-internet -c "wine-stable pathToApp"

But how do I make this a persistent rule so that I don't have to run the WINE app via sg no-internet -c "wine-stable pathToApp" (i.e. even if I run the app directly) and also it will work even after reboot?

kat
  • 319

1 Answers1

0

The problem is the default primary group of the user. If the user was created and has a default user group of their username (which most cases will be this on a default setup), then the gid-owner check will not match because the process's owner Group ID is not no-internet, it's that user's group and not the target group ID you're trying to match.

NOTE: If you make this change to your currently running user who has sudo you will likely break things, so I suggest that you create a secondary test user* and test the Internet rules from there

Assuming that your iptables rules will persist, then make this additional change:

sudo usermod -g no-internet $USER

Then, test that user's connection to the Internet once they're logged in (ping 8.8.8.8 should say "operation not permitted", curl https://google.com should get a "Could not resolve" error, etc.).

* Note that I used deaduser which I created with the following command and then logged in as that user to test Internet connectivity: sudo useradd --create-home --user-group -g no-internet deaduser, and then logged in forcibly as that user with sudo su - deaduser to test the configuration of the rules.

The tests I did were ping 8.8.8.8 (which got an "operation not permitted" reply) and curl google.com (which got a "Could not resolve" error).

Thomas Ward
  • 78,878