HOWTO: Run a particular program but prevent it from accessing the Internet

[quickzilver]

Thanks a lot for this post.
I hope this should work.
Yet to try it out.

[six-geek]

[...] Maybe there is something different about the way iptables works on the new version?

I guess that is the reason why i get the password question

$ ni "ping www.google.com"
Password:
Invalid password.

Isn't it weird that I get asked to identify myself by password? Am I the only person with this issue? I am running kubuntu 9.10.

[amac777]

I guess that is the reason why i get the password question

Isn't it weird that I get asked to identify myself by password? Am I the only person with this issue? I am running kubuntu 9.10.

Getting asked for a password seems to indicate that your user is not a member of the "no-internet" group like it should be. See "Step 1" and make sure you add your user to the no-internet group. I normally use the SYSTEM-ADMINISTRATION-USERS AND GROUPS tool to do this, but if you prefer the command line, you can also use this command:

Code:

sudo usermod -a -G no-internet username

where username should be your username. Then you need to logout / log in again to make the new groups take effect. Once your user is a member of the group, you should not get that password prompt anymore.

[six-geek]

Cheers for this tip. But I am still in the group no-internet. This shows me the command

$ id
uid=1000(six) gid=1000(six) groups= [...] 1002(no-internet)

Any further ideas?

[johnbrod]

Does "sudo iptables -L" look like this:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            owner GID match no-internet

This is what I've got

Code:

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  10.0.1.3             10.0.1.1            tcp dpt:domain 
ACCEPT     udp  --  10.0.1.3             10.0.1.1            udp dpt:domain 
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere            
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8 
DROP       all  --  255.255.255.255      anywhere            
DROP       all  --  anywhere             0.0.0.0             
DROP       all  --  anywhere             anywhere            state INVALID 
OUTBOUND   all  --  anywhere             anywhere            
LOG_FILTER  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Unknown Output' 
DROP       all  --  anywhere             anywhere            owner GID match no-internet

Is the

Code:

ACCEPT all -- anywhere anywhere

overriding everything else? How do I remove that?

I wrote these instructions using Jaunty and am still running that version of Ubuntu. Are you on a newer version? Maybe there is something different about the way iptables works on the new version?

Hmmmm, I'm on 9.10 netbook remix. Thanks for the help.

[Cypher1101]

I wrote these instructions using Jaunty and am still running that version of Ubuntu. Are you on a newer version? Maybe there is something different about the way iptables works on the new version?

No, I'm still running jaunty because of my gfx card not playing nicely with karmic the last time i tried upgrading to it. Oddly enough I tried the script again today and it worked perfectly. I know I logged out and rebooted before trying it last time I posted, so I really don't know why it decided to start working.

It really is a nice script - thanks for posting it

[amac777]

Is the

Code:

ACCEPT all -- anywhere anywhere

overriding everything else? How do I remove that?

To delete that rule, you can use:

Code:

sudo iptables -D OUTPUT 3

The 3 is because the rule you want to delete is the third one in the OUTPUT chain.

[bj0]

This is pretty cool, but is there a way to make this sort of thing able to toggle?

Like if you are running a program and you want it to have network access for a certain event or time, then block (or vice versa).

[amac777]

This is pretty cool, but is there a way to make this sort of thing able to toggle?

Like if you are running a program and you want it to have network access for a certain event or time, then block (or vice versa).

Yes, you can. Basically, the iptables rule that blocks the internet can be deleted or added dynamically, as required. I'm not sure of the exact nature of what you need, but basically here's how you could give a "program" some limited internet time:

First, start the program using the ni script:

Code:

ni program &

That will start the program without internet access and the & allows you to keep typing more commands without waiting for the program to terminate first.

When you are ready to give the program internet access, delete the iptables rule:

Code:

sudo iptables -D OUTPUT -m owner --gid-owner no-internet -j DROP

Now the program can access the internet. When you want to block it again, just re-include (ie, add) the iptables rule to cutoff the internet for that program again:

Code:

sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP

If you wanted the inverse (ie, only block a portion of time for the program but allow the rest), you could delete the rule before you run the program (but still use the ni script to run it) and then add the rule just for the time you want to block the program.

[FrankyG]

amac777, this HOWTO really rocks! excactly what I needed to prevent some win(e) programs from "calling home"... thanks a lot!
frank