Home / ubuntu / Questions / 19346
Accepted
YSN
Asked: 2010-12-30 16:12:22 +0800 CST

How to block internet access for wine applications?

  • 772

How can one prevent specific or any wine applications from accessing the internet?

When using certain applications under Windows, they were trying to access the internet from time to time without any obvious reason. I was able to prevent that behaviour with a personal firewall back then. Unfortunately I did not find an application level firewall in Ubuntu up to now. This is especially annoying when I am abroad using data-roaming with my 3G modem.

security wine firewall

5 Answers

  1. Best Answer

    There's a nice tutorial on blocking any given program from accessing the Internet on the Ubuntu forums.

    Steps

    sudo addgroup no-internet  # Create group "no-internet"
sudo adduser $USER no-internet  # Add current user to no-internet

    iptables rule to prevent that group from accessing the network

    sudo iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP
sudo ip6tables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP # To also block IPv6 traffic

    Process you don't want to have internet access using sg or sudo -g (execute command as different group ID):

    sg no-internet -c "processFullPath args"

    It basically involves creating a new group, denying it Internet access, and then running any program you want to restrict as that group ID. So in your case, you would just always run wine using the method described in the tutorial.

    • 37

  2. Make a group and become a member of it

    addgroup wino

adduser $USER wino

    Now enter an iptables rule to block that group from using the internet you can type this on the terminal and hit enter

    iptables -A OUTPUT -m owner --gid-owner wino -j REJECT

    To make this rule run after each reboot with systemd use iptables-persistent save from iptables-persistent package.

    If using rc-local: You can put the rule in /etc/rc.local. Make sure the last line in that text file says exit 0.

    Usage example:

    sg wino "wine executablename.exe"

    You need the " " and also type wine before the programs name.

    • 17

  3. EDIT few years later for software not fan of proxy settings & overall a much cleaner & simpler answer :

    use bublewrap + unshare to launch your app :

    bwrap --unshare-net wine yourapp.exe

    changing proxies / original answer

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy"=dword:00000001
"ProxyEnable"=dword:00000001
"ProxyHttp.1.1"=dword:00000000
"ProxyOverride"="<local>"
"ProxyServer"="http://NonExistantProxyAddress:80"
"User Agent"="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"

    to add to your wine (or playonlinux virtual drives) registry :

    much simpler solution indeed than using groups (& does not prevent pol to connect, just the apps)

    credits to http://ootput.wordpress.com/2011/06/06/block-wine-applications-from-the-internet/comment-page-1/

    • 10

  4. Simply run app as:

    systemd-run --scope -p IPAddressDeny=any wine myapp.exe

    The IPAddressDeny=… allows to deny access to a set of IPv4 and IPv6 addresses. Special value any disables access to all of them for all IP-based protocols, like TCP, UDP, ICMP, SCTP, etc.

    Example of usage (note: for this demo I had to fix wine ping, since it was timing out on me):

    $ export WINEDEBUG=-all   # remove debug prints for the demo
$ wine ping localhost     # check that ping works
Pinging localhost [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time=1ms TTL=64

Ping statistics for 127.0.0.1
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 1ms, Average = 0ms
$ systemd-run --scope -p IPAddressDeny=any wine ping localhost   # well, not anymore
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to manage system services or other units.
Multiple identities can be used for authentication:
 1.  constantine
 2.  archie
Choose identity to authenticate as (1-2): 1
Password:
==== AUTHENTICATION COMPLETE ====
Running scope as unit: run-u28936.scope
Pinging localhost [127.0.0.1] with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 127.0.0.1
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

    For the rest of the answer I gonna copy text from my other similar answer on unix.se:

    Note: this gonna ask you for a password but the app gets launched as your user. Do not allow this to delude you into thinking that the command needs sudo, because that would cause the command to run under root, which hardly was your intention.

    If you want to not enter the password (after all, you already own your resources, why would you need a password to limit them), you could use --user option, however for this to work you gonna need cgroupsv2 support enabled, which right now requires to boot with systemd.unified_cgroup_hierarchy kernel parameter.

    • 5

  5. It is not the cleanest solution, but as a temporary solution for PlayOnLinux users, it is easy and fast to setup.

    Go to Settings > Internet

    Enable Set a proxy and enter a website without a proxy e.g. stackoverflow.com and random user name and password. The programs won't reach the proxy server or the internet.

    Warning: Be aware, that this will also prevent the install dialog from searching and installing new software!

    s

    • 0