Page 1 of 6 123 ... LastLast
Results 1 to 10 of 53

Thread: HOWTO: Run a particular program but prevent it from accessing the Internet

  1. #1
    Join Date
    Aug 2006
    Location
    Canada
    Beans
    389
    Distro
    Ubuntu 10.04 Lucid Lynx

    HOWTO: Run any program but prevent it from accessing the Internet

    Rational:

    Some programs like to access the Internet on their own. For example, many Windows programs I run in wine "call home", and Rhythmbox accesses Amazon each time I play a new MP3 in order to try and download cover art. For privacy purposes, you may want to run a program but ensure it *cannot* access the Internet.

    Howto: (6 steps) - Tested and works with Ubuntu 9.04 to 10.04 (see below for 10.10 adjustments)

    Step 1. Create a group called "no-internet" and add your user as a member of this new group.
    (System->Administration->Users and Groups)

    Step 2. Create a script (somewhere in your PATH) called "ni" (stands for No Internet) as follows:

    Code:
    sudo nano /usr/bin/ni
    with this contents:

    Code:
    #!/bin/bash 
    sg no-internet "$1"
    And make it executable:

    Code:
    sudo chmod +x /usr/bin/ni
    Step 3. Create a script called iptables_no-internet_rule as follows:

    Code:
    sudo nano /etc/network/if-pre-up.d/iptables_no-internet_rule
    with this contents:

    Code:
    #!/bin/bash
    iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
    And make it executable:

    Code:
    sudo chmod +x /etc/network/if-pre-up.d/iptables_no-internet_rule
    Step 4. Enable the new firewall settings you made above in step 3 by running the following command:

    Code:
    sudo /etc/network/if-pre-up.d/iptables_no-internet_rule
    Step 5. Logout and then log back in again to make the group permissions take effect.

    Step 6. Finished. You can now run any program without allowing that program to access the network by using this command:

    Code:
    ni "program_name"
    Examples:

    - Note: the quotes around the program name are only there to allow you to enter commands needing parameters.

    Code:
    ni "ping www.google.com"
    ni "wine install.exe"
    ni firefox
    will all run but fail to access the Internet because ping, wine, and firefox are run using the ni script as the group no-internet, which has been barred from outputting anything to other networks. Note: if you are just running a single word command like firefox you don't need the quotes. Also note, for testing, make sure firefox isn't already running because then it will already have Internet access. Close it first and then run it preceeded by ni.

    Options:

    Local network access

    The above will actually prevent all outgoing network access by the programs run with ni; however, sometimes this may not be what you want. For example, certain local network access for games in wine might be acceptable. If you want to allow only local network access but still keep the Internet in general blocked, you can change the iptables config line in the file mentioned in Step 3 to the following:

    Code:
    iptables -A OUTPUT -m owner --gid-owner no-internet -d ! 192.168.0.0/24 -j DROP
    change the 192.168.0.0 to match your local network as required.

    Preventing the need for the quotes
    Ubuntu 10.10
    Uncomplicated Firewall (UFW)

    In post #30 of this thread, user zzarko posted a technique that prevents the need for the quotes around the command run by ni, which may be useful when you want to have a script update the parameters of the command. He also described some adjustments for running this on Ubuntu 10.10, which user Jack Brown later confirmed also helps use the same idea with UFW (see post #40).

    Revert all changes:

    The above changes will persist even after system reboot so you can always run any program with the "ni" script to prevent it from getting out on the network. However, if you no longer want to have this feature enabled, you can uninstall the above by simply removing the two files created like this:

    Code:
    sudo rm /usr/bin/ni
    sudo rm /etc/network/if-pre-up.d/iptables_no-internet_rule
    and then remove the group "no-internet" from (System->Administration->Users and Groups).

    I hope this helps others.
    Last edited by amac777; February 2nd, 2012 at 01:51 AM. Reason: added reference to posts #30 & 40 of this thread

  2. #2
    Join Date
    Feb 2009
    Beans
    34

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    beautiful, thank you very much

  3. #3
    Join Date
    Jul 2006
    Location
    Hertfordshire
    Beans
    454
    Distro
    Kubuntu 9.04 Jaunty Jackalope

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    Very useful, thanks for that.

  4. #4
    Join Date
    Aug 2007
    Beans
    874
    Distro
    Ubuntu 11.10 Oneiric Ocelot

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    Thanks amac777, especially liked the part describing how to unblock local access. Came in handy for my server.

  5. #5
    Join Date
    Mar 2008
    Beans
    85

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    A very long winded way of doing it. Say I have doom 3 installed on linux and I want it to stop the constant key checks on line I open /etc/hosts as root and add this to the bottom of the file:

    Code:
    127.0.0.1 q4master.idsoftware.com idnet.ua-corp.com
    Will block doom 3 checking anything online. Quick and easy

  6. #6
    Join Date
    Jul 2006
    Location
    Hertfordshire
    Beans
    454
    Distro
    Kubuntu 9.04 Jaunty Jackalope

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    Quote Originally Posted by Voorhees1979 View Post
    A very long winded way of doing it. Say I have doom 3 installed on linux and I want it to stop the constant key checks on line I open /etc/hosts as root and add this to the bottom of the file:

    Code:
    127.0.0.1 q4master.idsoftware.com idnet.ua-corp.com
    Will block doom 3 checking anything online. Quick and easy
    That's a good strategy, though quite limited in practice. It will only work if you know exactly which servers the program is intending to contact.

    I wouldn't want to write the /etc/hosts entry for blocking Firefox from accessing HTTP servers on the Web, for example.

  7. #7
    Join Date
    Aug 2006
    Location
    Canada
    Beans
    389
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    Quote Originally Posted by Voorhees1979 View Post
    A very long winded way of doing it.
    I guess it depends on what you mean by "it", since what you described and what I described do different things. Different solutions for different problems.

  8. #8
    Join Date
    Nov 2009
    Beans
    3

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    Hi, I'm having no luck with this and can't figure out why. The ni script seems ok:
    Code:
    ni "id"
    reports the no-internet group ID correctly. I can also see the new OUTPUT rule from iptables -L. Any ideas anyone?
    Last edited by johnbrod; November 28th, 2009 at 06:07 PM.

  9. #9
    Join Date
    Sep 2009
    Beans
    30
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    I can't get the script to block anything other than ping. I closed firefox then ran it with ni, and it went through to the internet just fine. I tried it with xchat - same results
    Last edited by Cypher1101; November 29th, 2009 at 06:25 AM.

  10. #10
    Join Date
    Aug 2006
    Location
    Canada
    Beans
    389
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    Quote Originally Posted by johnbrod View Post
    Hi, I'm having no luck with this and can't figure out why. The ni script seems ok:
    Code:
    ni "id"
    reports the no-internet group ID correctly. I can also see the new OUTPUT rule from iptables -L. Any ideas anyone?
    Does "sudo iptables -L" look like this:

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere            owner GID match no-internet
    I can't get the script to block anything other than ping. I closed firefox then ran it with ni, and it went through to the internet just fine. I tried it with xchat - same results
    I wrote these instructions using Jaunty and am still running that version of Ubuntu. Are you on a newer version? Maybe there is something different about the way iptables works on the new version?

Page 1 of 6 123 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •