Thanks a lot for this post.
I hope this should work.
Yet to try it out.
Thanks a lot for this post.
I hope this should work.
Yet to try it out.
Getting asked for a password seems to indicate that your user is not a member of the "no-internet" group like it should be. See "Step 1" and make sure you add your user to the no-internet group. I normally use the SYSTEM-ADMINISTRATION-USERS AND GROUPS tool to do this, but if you prefer the command line, you can also use this command:
where username should be your username. Then you need to logout / log in again to make the new groups take effect. Once your user is a member of the group, you should not get that password prompt anymore.Code:sudo usermod -a -G no-internet username
Cheers for this tip. But I am still in the group no-internet. This shows me the command
Any further ideas?$ id
uid=1000(six) gid=1000(six) groups= [...] 1002(no-internet)
This is what I've got
Is theCode:Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 10.0.1.3 10.0.1.1 tcp dpt:domain ACCEPT udp -- 10.0.1.3 10.0.1.1 udp dpt:domain ACCEPT all -- anywhere anywhere DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8 DROP all -- 255.255.255.255 anywhere DROP all -- anywhere 0.0.0.0 DROP all -- anywhere anywhere state INVALID OUTBOUND all -- anywhere anywhere LOG_FILTER all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Unknown Output' DROP all -- anywhere anywhere owner GID match no-internetoverriding everything else? How do I remove that?Code:ACCEPT all -- anywhere anywhere
Hmmmm, I'm on 9.10 netbook remix. Thanks for the help.I wrote these instructions using Jaunty and am still running that version of Ubuntu. Are you on a newer version? Maybe there is something different about the way iptables works on the new version?
No, I'm still running jaunty because of my gfx card not playing nicely with karmic the last time i tried upgrading to it. Oddly enough I tried the script again today and it worked perfectly. I know I logged out and rebooted before trying it last time I posted, so I really don't know why it decided to start working.
It really is a nice script - thanks for posting it
This is pretty cool, but is there a way to make this sort of thing able to toggle?
Like if you are running a program and you want it to have network access for a certain event or time, then block (or vice versa).
Yes, you can. Basically, the iptables rule that blocks the internet can be deleted or added dynamically, as required. I'm not sure of the exact nature of what you need, but basically here's how you could give a "program" some limited internet time:
First, start the program using the ni script:
That will start the program without internet access and the & allows you to keep typing more commands without waiting for the program to terminate first.Code:ni program &
When you are ready to give the program internet access, delete the iptables rule:
Now the program can access the internet. When you want to block it again, just re-include (ie, add) the iptables rule to cutoff the internet for that program again:Code:sudo iptables -D OUTPUT -m owner --gid-owner no-internet -j DROP
If you wanted the inverse (ie, only block a portion of time for the program but allow the rest), you could delete the rule before you run the program (but still use the ni script to run it) and then add the rule just for the time you want to block the program.Code:sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
amac777, this HOWTO really rocks! excactly what I needed to prevent some win(e) programs from "calling home"... thanks a lot!
frank
Bookmarks