Page 3 of 6 FirstFirst 12345 ... LastLast
Results 21 to 30 of 53

Thread: HOWTO: Run a particular program but prevent it from accessing the Internet

  1. #21
    Join Date
    Dec 2009
    Beans
    13

    Angry Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    I did the steps outlined but it does not work. Running with ni firefox still gives it net access.

    here is my ip.tables output

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    blockcontrol_out all -- anywhere anywhere state NEW mark match !0x14
    ACCEPT tcp -- 192.168.0.183 192.168.0.1 tcp dpt:domain
    DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
    DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
    DROP all -- 255.255.255.255 anywhere
    DROP all -- anywhere 0.0.0.0
    DROP all -- anywhere anywhere state INVALID
    OUTBOUND all -- anywhere anywhere
    LOG_FILTER all -- anywhere anywhere
    LOG all -- anywhere anywhere LOG level info prefix `Unknown Output'
    DROP all -- anywhere anywhere owner GID match no-internet
    EDIT:

    Ok removing OUTBOUND all -- anywhere anywhere
    gave me no net connection at all for anything

    I reinserted it with command
    sudo iptables -A OUTPUT -p all --goto OUTBOUND

    and for some now ni firefox works!
    Maybe it was the ordering of the rules.
    Last edited by fireandspike; October 26th, 2010 at 04:00 AM.

  2. #22
    Join Date
    Aug 2006
    Location
    Canada
    Beans
    389
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    Quote Originally Posted by fireandspike View Post
    and for some now ni firefox works!
    Maybe it was the ordering of the rules.
    It seems at least one poster before you had that OUTBOUND rule in there and it didn't work for him right away either. Then he rebooted and it worked. Maybe just a coincidence but I'm not sure.

    Anyway, glad you got it working.

  3. #23
    Join Date
    Aug 2006
    Location
    Canada
    Beans
    389
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    Quote Originally Posted by arapaho
    Can you help me
    following your how to
    I created no-internet group with ID 1001. I added myself to that group.

    #!/bin/bash
    iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
    Do I have to replace owner with arapaho and --gid-owner with --1001?
    No, you don't need to replace anything, just copy that text verbatim into the file.

    Quote Originally Posted by arapaho
    Do I have to use terminal and ni program_name
    every time I want to use the program or is it a permanent block?
    You have to run the program using ni program_name every time. If you don't run it with the ni script, the program will be able to access the Internet.

    Let me know if you have any more questions. You can post in this thread rather than PM in case other people later have the same questions.

  4. #24
    Join Date
    Jun 2007
    Location
    North London; England
    Beans
    697

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    thats a pretty cool idea,

    I would quite like the opposite, blocking Internet access for every program except those ran using the script, that way only things i give permission get online.
    Desktop:i7 875k|4gb OCZ platinum ddr3 2000|Evga P55 LE mobo|OCZ RevoDrive 50gb|ATI 5850 Black Edition|Silverstone FT02|corsair tx650
    Portable: 13" Macbook Pro 2.8ghz i7 16gb RAM | Asus EEE TF101 | Samsung Galaxy S2

  5. #25
    Join Date
    Aug 2006
    Location
    Canada
    Beans
    389
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    Quote Originally Posted by markp1989 View Post
    thats a pretty cool idea,

    I would quite like the opposite, blocking Internet access for every program except those ran using the script, that way only things i give permission get online.
    That should be possible too. Basically, you'd set the firewall to block all network access for programs run by your user's group, and then use a script to change the group ID to something else for the programs you want to have access. Might only need a small change to the firewall and a reboot but I'm at work now so will have to test it later.

  6. #26
    Join Date
    Jun 2010
    Beans
    136
    Distro
    Kubuntu 16.04 Xenial Xerus

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    Quote Originally Posted by amac777 View Post
    You can post in this thread rather than PM in case other people later have the same questions.
    Sorry about PM. I just needed a quick answer and I wasn't sure if you subscribe to this topic. Thank you.

  7. #27
    Join Date
    Aug 2006
    Location
    Canada
    Beans
    389
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    Quote Originally Posted by arapaho View Post
    Sorry about PM. I just needed a quick answer and I wasn't sure if you subscribe to this topic. Thank you.
    No problem. Did you see my answer above and get it working?

  8. #28
    Join Date
    Dec 2009
    Beans
    27
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    It seems good, but it stops working when UFW is active. I would like to know how to add this rule with UFW

    or what line to add in which file?

  9. #29
    Join Date
    Feb 2011
    Beans
    1

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    Let me first beg your pardon, I'm a Debian user, not Ubuntu. If I'm being inappropriate by posting here, I apologize.

    An internet search lead me to this thread and I found it extremely helpful. But my system is a little different because I am running a Firestarter firewall. So I thought I'd update this HOWTO with a slight modification for Firestarter users.

    Rather than putting the iptables script in /etc/network, if you are running Firestarter you want to put the line:

    Code:
    iptables --append OUTPUT --match owner --gid-owner no-internet -j DROP
    into the file:
    /etc/firestarter/user-pre

    According to the /etc/firestarter/firewall script, the user-pre script is run before most of the chains are set in iptables. By placing the new iptables rule in user-pre, you ensure its inclusion early in the chain list, thereby ensuring it will be applied when operating as the no-internet group. There is no need to write the iptables_no-internet_rule script and put it in /etc/network if you run Firestarter, and doing so won't have any effect on the ability of no-internet to access the outside world.
    Last edited by Grey Rider; February 13th, 2011 at 08:38 PM.

  10. #30
    Join Date
    Jun 2009
    Beans
    66

    Re: HOWTO: Run a particular program but prevent it from accessing the Internet

    I made a few modifications to original poster's HOWTO, to make it work well in Ubuntu 10.10 (32-bit):

    1. Since putting iptables_no-internet_rule script in if-pre-up.d didn't work for me (it wasn't executed after system restart, I had to manually start it every time I booted the machine), I put it in if-up.d.

    2. Because rule for iptables was put at the end of OUTPUT rules, and because of rules that precedes it, it was never executed. To solve this, I changed the rule to
    Code:
    iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP
    so it would be placed at the top of OUTPUT rules (and applied first).

    3. Original ni script required quotes around command if there were any arguments, ie:
    Code:
    ni "command arg1 arg2 arg3"
    This was very troublesome if you wanted to alter parameters from the script (especially if they contain spaces). I changed the ni script to ommit necessary quotes around such commands:
    Code:
    #!/bin/bash
    COMMAND="$1"
    shift
    for arg; do
    COMMAND="$COMMAND \"$arg\""
    done
    sg no-internet "$COMMAND"
    Now it can be invoked with:
    Code:
    ni command arg1 arg2 arg3
    which is much better for scripts.

Page 3 of 6 FirstFirst 12345 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •