Home / ubuntu / Questions / 45072
Accepted
guerda
Asked: 2011-05-26 01:30:47 +0800 CST

How to control internet access for each program?

  • 772

I would like to use a software to control which program may connect to the internet. I know that this behaviour is associated with the word "firewall", but some Linux users are very upset if somebody demands a Personal Firewall. I don't want to upset you by demand such a program.
I don't want to "secure ports" or other stuff a Personal Firewall promises on Windows. I looked into iptables but it does not fit my requirements.

I saw an excellent answer here ("How to block internet access for wine applications") but it's very uncomfortable to set this up.

Is there a software that asks for each program if it may access the internet?

firewall

12 Answers

  1. I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.

    1. Create a group no-internet. Do not join this group

      sudo addgroup no-internet

    2. Add a rule to iptables that prevents all processes belonging to the group no-internet from using the network (use ip6tables to also prevent IPv6 traffic)

      sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
    3. Execute sudo -g no-internet YOURCOMMAND instead of YOURCOMMAND.

    You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding

    %sudo     ALL=(:no-internet)      NOPASSWD: ALL

    or, something similar with sudo visudo

    Use the iptables-save and iptables-restore to persist firewall rules.

    • 39

  2. NOTE: Douane is no longer actively developed and is reported to not work in later Ubuntu versions. This solution may not work, but the answer is kept as is for historical reasons.

    In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane

    My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.

    Have a look at the website ;-)

    screen shot

    • 38

  3. Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:

    firejail --net=none firefox

    This command will start Firefox browser without internet access. Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.

    • 13
  4. Best Answer

    There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).

    • 6

  5. There is already a firewall in Ubuntu, ufw, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.

    If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:

    • 5

  6. Running a program under another user will use the config files for that user and not yours.

    Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo) with a modified environment, where your user is my_user and the app you want to run is my_app:

    # run app without access to internet
sudo unshare -n sudo -u my_user my_app

    For more details see man unshare and this answer.

    Linux GUI firewall

    If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.

    • 5

  7. @psusi: I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy". Just saying "NO" without understanding a use case is somewhat narrow minded. http://www.debian-administration.org/article/120/Application_level_firewalling

    EDIT bodhi.zazen

    NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED

    SEE - http://www.spinics.net/lists/netfilter/msg49716.html

    commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph Hellwig Date: Sun Aug 14 17:33:59 2005 -0700

    [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

    Rip out cmd/sid/pid matching since its unfixable broken and stands in the way of locking changes to tasklist_lock.

    Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    • 3

  8. I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s.

    To recap what's in the post I linked above:

    1. Create the "internet" group by typing the following into a shell: sudo groupadd internet

    2. Ensure that the user who will run the script below is added to the sudo group in /etc/group. If you end up modifying this file, then you will need to log out and back in before the script below will work.

    3. Create a script containing the following, and run it:

      #!/bin/sh
# Firewall apps - only allow apps run from "internet" group to run

# clear previous rules
sudo iptables -F

# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT

# also allow local connections
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT

# reject packets for other users
sudo iptables -A OUTPUT -p tcp -j REJECT

# open a shell with internet access
sudo -g internet -s

    4. By running the above script, you will have a shell in which you can run applications with internet access.

    Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save and iptables-restore shell commands.

    • 3

  9. Try Leopard Flower. It has a GUI and per-application restrictions.

    • 1

  10. For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.

    The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.

    None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.

    See:

    http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/

    There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.

    • 1