How to control internet access for each program?

Question

I would like to use a software to control which program may connect to the internet. I know that this behaviour is associated with the word "firewall", but some Linux users are very upset if somebody demands a Personal Firewall. I don't want to upset you by demand such a program.
I don't want to "secure ports" or other stuff a Personal Firewall promises on Windows. I looked into iptables but it does not fit my requirements.

I saw an excellent answer here ("How to block internet access for wine applications") but it's very uncomfortable to set this up.

Is there a software that asks for each program if it may access the internet?

score 42 · Answer 1 · edited Jul 30 '19 at 10:33

I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.

Create a group no-internet. Do not join this group
```
sudo addgroup no-internet
```
Add a rule to iptables that prevents all processes belonging to the group no-internet from using the network (use ip6tables to also prevent IPv6 traffic)
```
sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
```
Execute sudo -g no-internet YOURCOMMAND instead of YOURCOMMAND.

You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding

%sudo     ALL=(:no-internet)      NOPASSWD: ALL

or, something similar with sudo visudo

Use the iptables-save and iptables-restore to persist firewall rules.

score 38 · Answer 2 · edited Nov 03 '20 at 17:10

NOTE: Douane is no longer actively developed and is reported to not work in later Ubuntu versions. This solution may not work, but the answer is kept as is for historical reasons.

In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane

My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.

Have a look at the website ;-)

screen shot

score 18 · Answer 3 · answered Jan 26 '19 at 12:27

Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:

firejail --net=none firefox

This command will start Firefox browser without internet access. Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.

score 6 · Accepted Answer · edited Jul 06 '14 at 12:35

6

There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).

edited Jul 06 '14 at 12:35

Sparhawk

6,969

answered May 25 '11 at 11:02

Florian Diesch

89,643

ccpizza · Answer 5 · 2019-01-14T15:57:13.697

Running a program under another user will use the config files for that user and not yours.

Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo) with a modified environment, where your user is my_user and the app you want to run is my_app:

# run app without access to internet
sudo unshare -n sudo -u my_user my_app

For more details see man unshare and this answer.

Linux GUI firewall

If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.

score 5 · Answer 6 · edited Jan 13 '19 at 07:15

5

There is already a firewall in Ubuntu, ufw, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.

If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:

edited Jan 13 '19 at 07:15

Pablo Bianchi

17,371

answered Dec 23 '11 at 14:30

heiko81

1,925

score 3 · Answer 7 · edited Jul 20 '17 at 22:47

@psusi: I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy". Just saying "NO" without understanding a use case is somewhat narrow minded. http://www.debian-administration.org/article/120/Application_level_firewalling

EDIT bodhi.zazen

NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED

SEE - http://www.spinics.net/lists/netfilter/msg49716.html

commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph Hellwig Date: Sun Aug 14 17:33:59 2005 -0700

[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

Rip out cmd/sid/pid matching since its unfixable broken and stands in the way of locking changes to tasklist_lock.
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>

Mark · Answer 8 · 2015-09-21T01:43:43.733

I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s.

To recap what's in the post I linked above:

Create the "internet" group by typing the following into a shell: sudo groupadd internet
Ensure that the user who will run the script below is added to the sudo group in /etc/group. If you end up modifying this file, then you will need to log out and back in before the script below will work.

Create a script containing the following, and run it:

#!/bin/sh
# Firewall apps - only allow apps run from "internet" group to run

# clear previous rules
sudo iptables -F

# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT

# also allow local connections
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT

# reject packets for other users
sudo iptables -A OUTPUT -p tcp -j REJECT

# open a shell with internet access
sudo -g internet -s

By running the above script, you will have a shell in which you can run applications with internet access.

Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save and iptables-restore shell commands.

ZZZZ · Answer 9 · 2024-10-05T19:32:57.627

Building on original answer, you can assign the application group to no-internet, eliminating the need to run the application with sg no-internet [CMD] or sudo -g no-internet [CMD].

Create the group no-internet.
```
sudo addgroup no-internet
```
Add iptables/ip6tables rules to block all network traffic for processes in the no-internet group.
```
sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j REJECT
sudo ip6tables -A OUTPUT -m owner --gid-owner no-internet -j REJECT
```
Save and restore the firewall rules using iptables-save and iptables-restore.
Set the application's group to no-internet and modify the set-group-ID bit (SGID).
```
sudo chgrp ip_block [CMD]
sudo chmod g+s [CMD]
```
Replace [CMD] with the application's executable.
To restore the application internet access, reset the application's group and SGID:
```
sudo chgrp root [CMD]
sudo chmod g-s [CMD]
```

The sg no-internet "[CMD]" may be useful for complex cases where the initial application spans other sub-processes which are not affected by the SGID bit.

score 1 · Answer 10 · answered Mar 20 '13 at 17:06

For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.

The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.

None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.

See:

http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/

There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.

score 1 · Answer 11 · answered Sep 09 '13 at 04:11

It was in iptables up to kernel version 2.6.24 If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it. for some reason they took it out, so no its not microsoft. http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html

score 1 · Answer 12 · edited Sep 06 '17 at 20:03

1

Try Leopard Flower. It has a GUI and per-application restrictions.

edited Sep 06 '17 at 20:03

Eliah Kagan

119,640

answered Dec 13 '11 at 09:55

brand

11

score -1 · Answer 13 · answered May 25 '11 at 13:35

No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.

If you don't like what a program is doing on the network when you run it, then don't run that program.

How to control internet access for each program?

13 Answers13

Linux GUI firewall

Linked

Related