How to control internet access for each program?
I would like to use a software to control which program may connect to the internet. I know that this behaviour is associated with the word "firewall", but some Linux users are very upset if somebody demands a Personal Firewall. I don't want to upset you by demand such a program.
I don't want to "secure ports" or other stuff a Personal Firewall promises on Windows. I looked into iptables
but it does not fit my requirements.
I saw an excellent answer here ("How to block internet access for wine applications") but it's very uncomfortable to set this up.
Is there a software that asks for each program if it may access the internet?
firewall iptables
add a comment |
I would like to use a software to control which program may connect to the internet. I know that this behaviour is associated with the word "firewall", but some Linux users are very upset if somebody demands a Personal Firewall. I don't want to upset you by demand such a program.
I don't want to "secure ports" or other stuff a Personal Firewall promises on Windows. I looked into iptables
but it does not fit my requirements.
I saw an excellent answer here ("How to block internet access for wine applications") but it's very uncomfortable to set this up.
Is there a software that asks for each program if it may access the internet?
firewall iptables
on mac there is a software called little snitch that does this. I think there is a windows version also...
– Alvar
May 25 '11 at 13:47
add a comment |
I would like to use a software to control which program may connect to the internet. I know that this behaviour is associated with the word "firewall", but some Linux users are very upset if somebody demands a Personal Firewall. I don't want to upset you by demand such a program.
I don't want to "secure ports" or other stuff a Personal Firewall promises on Windows. I looked into iptables
but it does not fit my requirements.
I saw an excellent answer here ("How to block internet access for wine applications") but it's very uncomfortable to set this up.
Is there a software that asks for each program if it may access the internet?
firewall iptables
I would like to use a software to control which program may connect to the internet. I know that this behaviour is associated with the word "firewall", but some Linux users are very upset if somebody demands a Personal Firewall. I don't want to upset you by demand such a program.
I don't want to "secure ports" or other stuff a Personal Firewall promises on Windows. I looked into iptables
but it does not fit my requirements.
I saw an excellent answer here ("How to block internet access for wine applications") but it's very uncomfortable to set this up.
Is there a software that asks for each program if it may access the internet?
firewall iptables
firewall iptables
edited Apr 13 '17 at 12:25
Community♦
1
1
asked May 25 '11 at 9:30
guerdaguerda
5561512
5561512
on mac there is a software called little snitch that does this. I think there is a windows version also...
– Alvar
May 25 '11 at 13:47
add a comment |
on mac there is a software called little snitch that does this. I think there is a windows version also...
– Alvar
May 25 '11 at 13:47
on mac there is a software called little snitch that does this. I think there is a windows version also...
– Alvar
May 25 '11 at 13:47
on mac there is a software called little snitch that does this. I think there is a windows version also...
– Alvar
May 25 '11 at 13:47
add a comment |
12 Answers
12
active
oldest
votes
There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).
I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)
– guerda
May 25 '11 at 11:13
add a comment |
In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane
My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.
Have a look at the website ;-)
Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.
– Aquarius Power
Oct 8 '14 at 4:47
You can open feature request on Github (github.com/Douane/Douane/issues) :)
– ZedTuX
Oct 8 '14 at 9:50
1
uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.
– azerafati
Mar 14 '16 at 14:06
Still not package for Ubuntu?
– Anwar
Apr 30 '16 at 6:05
Nope, no none came to me regarding Ubuntu :(
– ZedTuX
Apr 30 '16 at 8:23
|
show 8 more comments
I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.
Create a group
no-internet
. Do not join this group
sudo addgroup no-internet
Add a rule to iptables that prevents all processes belonging to the group
no-internet
from using the network (useip6tables
to also prevent IPv6 traffic)
iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
- Execute
sudo -g no-internet YOURCOMMAND
instead ofYOURCOMMAND
.
You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding
%sudo ALL=(:no-internet) NOPASSWD: ALL
or something similar with sudo visudo
Use the iptables-save
and iptables-restore
to persist firewall rules.
1
I tried your guide,sudo -g no-internet firefox
connects faster than default one. It doesn't work.
– kenn
Apr 14 '14 at 12:22
@kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.
– Tim
Apr 14 '14 at 13:53
I rebooted and applied above rules again with no luck
– kenn
Apr 14 '14 at 14:32
It wassudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
for me,sudo
was required.
– Artur Klesun
Mar 29 '18 at 16:38
worked perfectly for me, even with firefox. thank you!
– Kostanos
Aug 8 '18 at 23:09
|
show 1 more comment
There is already a firewall in Ubuntu, ufw
, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.
If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:
add a comment |
@psusi:
I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy".
Just saying "NO" without understanding a use case is somewhat narrow minded.
http://www.debian-administration.org/article/120/Application_level_firewalling
EDIT bodhi.zazen
NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED
SEE - http://www.spinics.net/lists/netfilter/msg49716.html
commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph
Hellwig Date: Sun Aug 14 17:33:59 2005 -0700
[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner
Rip out cmd/sid/pid matching since its unfixable broken and stands in the
way of locking changes to tasklist_lock.
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
2
To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set upiptables
to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).
– Eliah Kagan
Mar 20 '13 at 13:50
1
iptables does NOT filter by application.
– Panther
Mar 20 '13 at 16:58
That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.
– psusi
Mar 21 '13 at 13:24
3
@psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)
– Eliah Kagan
Mar 21 '13 at 17:27
This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.
– Panther
Jul 20 '17 at 22:49
add a comment |
Running a program under another user will use the config files for that user and not yours.
Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo
) with a modified environment, where your user is my_user
and the app you want to run is my_app
:
# run app without access to internet
sudo unshare -n sudo -u my_user my_app
For more details see man unshare
and this answer.
Linux GUI firewall
If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.
add a comment |
I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s
.
To recap what's in the post I linked above:
Create the "internet" group by typing the following into a shell:
sudo groupadd internet
Ensure that the user who will run the script below is added to the
sudo
group in/etc/group
. If you end up modifying this file, then you will need to log out and back in before the script below will work.
Create a script containing the following, and run it:
#!/bin/sh
# Firewall apps - only allow apps run from "internet" group to run
# clear previous rules
sudo iptables -F
# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
# also allow local connections
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT
# reject packets for other users
sudo iptables -A OUTPUT -p tcp -j REJECT
# open a shell with internet access
sudo -g internet -s
By running the above script, you will have a shell in which you can run applications with internet access.
Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save
and iptables-restore
shell commands.
add a comment |
For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.
The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.
None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.
See:
http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/
There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.
add a comment |
It was in iptables up to kernel version 2.6.24
If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it.
for some reason they took it out, so no its not microsoft.
http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html
debian-administration.org/?article=120
– not really
Sep 9 '13 at 4:12
add a comment |
Try Leopard Flower. It has a GUI and per-application restrictions.
add a comment |
No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.
If you don't like what a program is doing on the network when you run it, then don't run that program.
6
Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.
– Eliah Kagan
Mar 20 '13 at 13:40
And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!
– Eliah Kagan
Mar 20 '13 at 13:46
No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.
– Panther
Mar 20 '13 at 16:56
"Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.
– trusktr
Aug 3 '13 at 6:16
add a comment |
Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:
firejail --net=none firefox
This command will start Firefox browser without internet access.
Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f45072%2fhow-to-control-internet-access-for-each-program%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
12 Answers
12
active
oldest
votes
12 Answers
12
active
oldest
votes
active
oldest
votes
active
oldest
votes
There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).
I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)
– guerda
May 25 '11 at 11:13
add a comment |
There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).
I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)
– guerda
May 25 '11 at 11:13
add a comment |
There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).
There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).
edited Jul 6 '14 at 12:35
Sparhawk
5,11662965
5,11662965
answered May 25 '11 at 11:02
Florian DieschFlorian Diesch
64.9k16162180
64.9k16162180
I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)
– guerda
May 25 '11 at 11:13
add a comment |
I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)
– guerda
May 25 '11 at 11:13
I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)
– guerda
May 25 '11 at 11:13
I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)
– guerda
May 25 '11 at 11:13
add a comment |
In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane
My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.
Have a look at the website ;-)
Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.
– Aquarius Power
Oct 8 '14 at 4:47
You can open feature request on Github (github.com/Douane/Douane/issues) :)
– ZedTuX
Oct 8 '14 at 9:50
1
uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.
– azerafati
Mar 14 '16 at 14:06
Still not package for Ubuntu?
– Anwar
Apr 30 '16 at 6:05
Nope, no none came to me regarding Ubuntu :(
– ZedTuX
Apr 30 '16 at 8:23
|
show 8 more comments
In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane
My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.
Have a look at the website ;-)
Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.
– Aquarius Power
Oct 8 '14 at 4:47
You can open feature request on Github (github.com/Douane/Douane/issues) :)
– ZedTuX
Oct 8 '14 at 9:50
1
uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.
– azerafati
Mar 14 '16 at 14:06
Still not package for Ubuntu?
– Anwar
Apr 30 '16 at 6:05
Nope, no none came to me regarding Ubuntu :(
– ZedTuX
Apr 30 '16 at 8:23
|
show 8 more comments
In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane
My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.
Have a look at the website ;-)
In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane
My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.
Have a look at the website ;-)
edited Jan 19 at 11:34
janot
76211028
76211028
answered Aug 8 '13 at 17:56
ZedTuXZedTuX
51857
51857
Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.
– Aquarius Power
Oct 8 '14 at 4:47
You can open feature request on Github (github.com/Douane/Douane/issues) :)
– ZedTuX
Oct 8 '14 at 9:50
1
uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.
– azerafati
Mar 14 '16 at 14:06
Still not package for Ubuntu?
– Anwar
Apr 30 '16 at 6:05
Nope, no none came to me regarding Ubuntu :(
– ZedTuX
Apr 30 '16 at 8:23
|
show 8 more comments
Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.
– Aquarius Power
Oct 8 '14 at 4:47
You can open feature request on Github (github.com/Douane/Douane/issues) :)
– ZedTuX
Oct 8 '14 at 9:50
1
uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.
– azerafati
Mar 14 '16 at 14:06
Still not package for Ubuntu?
– Anwar
Apr 30 '16 at 6:05
Nope, no none came to me regarding Ubuntu :(
– ZedTuX
Apr 30 '16 at 8:23
Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.
– Aquarius Power
Oct 8 '14 at 4:47
Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.
– Aquarius Power
Oct 8 '14 at 4:47
You can open feature request on Github (github.com/Douane/Douane/issues) :)
– ZedTuX
Oct 8 '14 at 9:50
You can open feature request on Github (github.com/Douane/Douane/issues) :)
– ZedTuX
Oct 8 '14 at 9:50
1
1
uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.
– azerafati
Mar 14 '16 at 14:06
uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.
– azerafati
Mar 14 '16 at 14:06
Still not package for Ubuntu?
– Anwar
Apr 30 '16 at 6:05
Still not package for Ubuntu?
– Anwar
Apr 30 '16 at 6:05
Nope, no none came to me regarding Ubuntu :(
– ZedTuX
Apr 30 '16 at 8:23
Nope, no none came to me regarding Ubuntu :(
– ZedTuX
Apr 30 '16 at 8:23
|
show 8 more comments
I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.
Create a group
no-internet
. Do not join this group
sudo addgroup no-internet
Add a rule to iptables that prevents all processes belonging to the group
no-internet
from using the network (useip6tables
to also prevent IPv6 traffic)
iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
- Execute
sudo -g no-internet YOURCOMMAND
instead ofYOURCOMMAND
.
You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding
%sudo ALL=(:no-internet) NOPASSWD: ALL
or something similar with sudo visudo
Use the iptables-save
and iptables-restore
to persist firewall rules.
1
I tried your guide,sudo -g no-internet firefox
connects faster than default one. It doesn't work.
– kenn
Apr 14 '14 at 12:22
@kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.
– Tim
Apr 14 '14 at 13:53
I rebooted and applied above rules again with no luck
– kenn
Apr 14 '14 at 14:32
It wassudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
for me,sudo
was required.
– Artur Klesun
Mar 29 '18 at 16:38
worked perfectly for me, even with firefox. thank you!
– Kostanos
Aug 8 '18 at 23:09
|
show 1 more comment
I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.
Create a group
no-internet
. Do not join this group
sudo addgroup no-internet
Add a rule to iptables that prevents all processes belonging to the group
no-internet
from using the network (useip6tables
to also prevent IPv6 traffic)
iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
- Execute
sudo -g no-internet YOURCOMMAND
instead ofYOURCOMMAND
.
You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding
%sudo ALL=(:no-internet) NOPASSWD: ALL
or something similar with sudo visudo
Use the iptables-save
and iptables-restore
to persist firewall rules.
1
I tried your guide,sudo -g no-internet firefox
connects faster than default one. It doesn't work.
– kenn
Apr 14 '14 at 12:22
@kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.
– Tim
Apr 14 '14 at 13:53
I rebooted and applied above rules again with no luck
– kenn
Apr 14 '14 at 14:32
It wassudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
for me,sudo
was required.
– Artur Klesun
Mar 29 '18 at 16:38
worked perfectly for me, even with firefox. thank you!
– Kostanos
Aug 8 '18 at 23:09
|
show 1 more comment
I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.
Create a group
no-internet
. Do not join this group
sudo addgroup no-internet
Add a rule to iptables that prevents all processes belonging to the group
no-internet
from using the network (useip6tables
to also prevent IPv6 traffic)
iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
- Execute
sudo -g no-internet YOURCOMMAND
instead ofYOURCOMMAND
.
You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding
%sudo ALL=(:no-internet) NOPASSWD: ALL
or something similar with sudo visudo
Use the iptables-save
and iptables-restore
to persist firewall rules.
I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.
Create a group
no-internet
. Do not join this group
sudo addgroup no-internet
Add a rule to iptables that prevents all processes belonging to the group
no-internet
from using the network (useip6tables
to also prevent IPv6 traffic)
iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
- Execute
sudo -g no-internet YOURCOMMAND
instead ofYOURCOMMAND
.
You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding
%sudo ALL=(:no-internet) NOPASSWD: ALL
or something similar with sudo visudo
Use the iptables-save
and iptables-restore
to persist firewall rules.
edited Jan 13 at 7:18
Pablo Bianchi
2,5751532
2,5751532
answered Feb 19 '14 at 12:17
TimTim
361138
361138
1
I tried your guide,sudo -g no-internet firefox
connects faster than default one. It doesn't work.
– kenn
Apr 14 '14 at 12:22
@kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.
– Tim
Apr 14 '14 at 13:53
I rebooted and applied above rules again with no luck
– kenn
Apr 14 '14 at 14:32
It wassudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
for me,sudo
was required.
– Artur Klesun
Mar 29 '18 at 16:38
worked perfectly for me, even with firefox. thank you!
– Kostanos
Aug 8 '18 at 23:09
|
show 1 more comment
1
I tried your guide,sudo -g no-internet firefox
connects faster than default one. It doesn't work.
– kenn
Apr 14 '14 at 12:22
@kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.
– Tim
Apr 14 '14 at 13:53
I rebooted and applied above rules again with no luck
– kenn
Apr 14 '14 at 14:32
It wassudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
for me,sudo
was required.
– Artur Klesun
Mar 29 '18 at 16:38
worked perfectly for me, even with firefox. thank you!
– Kostanos
Aug 8 '18 at 23:09
1
1
I tried your guide,
sudo -g no-internet firefox
connects faster than default one. It doesn't work.– kenn
Apr 14 '14 at 12:22
I tried your guide,
sudo -g no-internet firefox
connects faster than default one. It doesn't work.– kenn
Apr 14 '14 at 12:22
@kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.
– Tim
Apr 14 '14 at 13:53
@kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.
– Tim
Apr 14 '14 at 13:53
I rebooted and applied above rules again with no luck
– kenn
Apr 14 '14 at 14:32
I rebooted and applied above rules again with no luck
– kenn
Apr 14 '14 at 14:32
It was
sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
for me, sudo
was required.– Artur Klesun
Mar 29 '18 at 16:38
It was
sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
for me, sudo
was required.– Artur Klesun
Mar 29 '18 at 16:38
worked perfectly for me, even with firefox. thank you!
– Kostanos
Aug 8 '18 at 23:09
worked perfectly for me, even with firefox. thank you!
– Kostanos
Aug 8 '18 at 23:09
|
show 1 more comment
There is already a firewall in Ubuntu, ufw
, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.
If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:
add a comment |
There is already a firewall in Ubuntu, ufw
, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.
If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:
add a comment |
There is already a firewall in Ubuntu, ufw
, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.
If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:
There is already a firewall in Ubuntu, ufw
, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.
If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:
edited Jan 13 at 7:15
Pablo Bianchi
2,5751532
2,5751532
answered Dec 23 '11 at 14:30
heiko81heiko81
1,85011220
1,85011220
add a comment |
add a comment |
@psusi:
I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy".
Just saying "NO" without understanding a use case is somewhat narrow minded.
http://www.debian-administration.org/article/120/Application_level_firewalling
EDIT bodhi.zazen
NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED
SEE - http://www.spinics.net/lists/netfilter/msg49716.html
commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph
Hellwig Date: Sun Aug 14 17:33:59 2005 -0700
[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner
Rip out cmd/sid/pid matching since its unfixable broken and stands in the
way of locking changes to tasklist_lock.
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
2
To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set upiptables
to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).
– Eliah Kagan
Mar 20 '13 at 13:50
1
iptables does NOT filter by application.
– Panther
Mar 20 '13 at 16:58
That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.
– psusi
Mar 21 '13 at 13:24
3
@psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)
– Eliah Kagan
Mar 21 '13 at 17:27
This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.
– Panther
Jul 20 '17 at 22:49
add a comment |
@psusi:
I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy".
Just saying "NO" without understanding a use case is somewhat narrow minded.
http://www.debian-administration.org/article/120/Application_level_firewalling
EDIT bodhi.zazen
NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED
SEE - http://www.spinics.net/lists/netfilter/msg49716.html
commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph
Hellwig Date: Sun Aug 14 17:33:59 2005 -0700
[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner
Rip out cmd/sid/pid matching since its unfixable broken and stands in the
way of locking changes to tasklist_lock.
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
2
To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set upiptables
to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).
– Eliah Kagan
Mar 20 '13 at 13:50
1
iptables does NOT filter by application.
– Panther
Mar 20 '13 at 16:58
That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.
– psusi
Mar 21 '13 at 13:24
3
@psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)
– Eliah Kagan
Mar 21 '13 at 17:27
This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.
– Panther
Jul 20 '17 at 22:49
add a comment |
@psusi:
I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy".
Just saying "NO" without understanding a use case is somewhat narrow minded.
http://www.debian-administration.org/article/120/Application_level_firewalling
EDIT bodhi.zazen
NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED
SEE - http://www.spinics.net/lists/netfilter/msg49716.html
commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph
Hellwig Date: Sun Aug 14 17:33:59 2005 -0700
[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner
Rip out cmd/sid/pid matching since its unfixable broken and stands in the
way of locking changes to tasklist_lock.
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
@psusi:
I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy".
Just saying "NO" without understanding a use case is somewhat narrow minded.
http://www.debian-administration.org/article/120/Application_level_firewalling
EDIT bodhi.zazen
NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED
SEE - http://www.spinics.net/lists/netfilter/msg49716.html
commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph
Hellwig Date: Sun Aug 14 17:33:59 2005 -0700
[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner
Rip out cmd/sid/pid matching since its unfixable broken and stands in the
way of locking changes to tasklist_lock.
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
edited Jul 20 '17 at 22:47
Panther
78.8k14157259
78.8k14157259
answered Mar 20 '13 at 13:36
user141987user141987
391
391
2
To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set upiptables
to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).
– Eliah Kagan
Mar 20 '13 at 13:50
1
iptables does NOT filter by application.
– Panther
Mar 20 '13 at 16:58
That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.
– psusi
Mar 21 '13 at 13:24
3
@psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)
– Eliah Kagan
Mar 21 '13 at 17:27
This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.
– Panther
Jul 20 '17 at 22:49
add a comment |
2
To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set upiptables
to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).
– Eliah Kagan
Mar 20 '13 at 13:50
1
iptables does NOT filter by application.
– Panther
Mar 20 '13 at 16:58
That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.
– psusi
Mar 21 '13 at 13:24
3
@psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)
– Eliah Kagan
Mar 21 '13 at 17:27
This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.
– Panther
Jul 20 '17 at 22:49
2
2
To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set up
iptables
to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).– Eliah Kagan
Mar 20 '13 at 13:50
To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set up
iptables
to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).– Eliah Kagan
Mar 20 '13 at 13:50
1
1
iptables does NOT filter by application.
– Panther
Mar 20 '13 at 16:58
iptables does NOT filter by application.
– Panther
Mar 20 '13 at 16:58
That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.
– psusi
Mar 21 '13 at 13:24
That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.
– psusi
Mar 21 '13 at 13:24
3
3
@psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)
– Eliah Kagan
Mar 21 '13 at 17:27
@psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)
– Eliah Kagan
Mar 21 '13 at 17:27
This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.
– Panther
Jul 20 '17 at 22:49
This option was removed from the kernel in 2005, 8 years before this answer was given - spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.
– Panther
Jul 20 '17 at 22:49
add a comment |
Running a program under another user will use the config files for that user and not yours.
Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo
) with a modified environment, where your user is my_user
and the app you want to run is my_app
:
# run app without access to internet
sudo unshare -n sudo -u my_user my_app
For more details see man unshare
and this answer.
Linux GUI firewall
If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.
add a comment |
Running a program under another user will use the config files for that user and not yours.
Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo
) with a modified environment, where your user is my_user
and the app you want to run is my_app
:
# run app without access to internet
sudo unshare -n sudo -u my_user my_app
For more details see man unshare
and this answer.
Linux GUI firewall
If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.
add a comment |
Running a program under another user will use the config files for that user and not yours.
Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo
) with a modified environment, where your user is my_user
and the app you want to run is my_app
:
# run app without access to internet
sudo unshare -n sudo -u my_user my_app
For more details see man unshare
and this answer.
Linux GUI firewall
If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.
Running a program under another user will use the config files for that user and not yours.
Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo
) with a modified environment, where your user is my_user
and the app you want to run is my_app
:
# run app without access to internet
sudo unshare -n sudo -u my_user my_app
For more details see man unshare
and this answer.
Linux GUI firewall
If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.
edited Jan 14 at 15:57
answered Feb 13 '17 at 21:34
ccpizzaccpizza
809812
809812
add a comment |
add a comment |
I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s
.
To recap what's in the post I linked above:
Create the "internet" group by typing the following into a shell:
sudo groupadd internet
Ensure that the user who will run the script below is added to the
sudo
group in/etc/group
. If you end up modifying this file, then you will need to log out and back in before the script below will work.
Create a script containing the following, and run it:
#!/bin/sh
# Firewall apps - only allow apps run from "internet" group to run
# clear previous rules
sudo iptables -F
# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
# also allow local connections
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT
# reject packets for other users
sudo iptables -A OUTPUT -p tcp -j REJECT
# open a shell with internet access
sudo -g internet -s
By running the above script, you will have a shell in which you can run applications with internet access.
Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save
and iptables-restore
shell commands.
add a comment |
I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s
.
To recap what's in the post I linked above:
Create the "internet" group by typing the following into a shell:
sudo groupadd internet
Ensure that the user who will run the script below is added to the
sudo
group in/etc/group
. If you end up modifying this file, then you will need to log out and back in before the script below will work.
Create a script containing the following, and run it:
#!/bin/sh
# Firewall apps - only allow apps run from "internet" group to run
# clear previous rules
sudo iptables -F
# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
# also allow local connections
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT
# reject packets for other users
sudo iptables -A OUTPUT -p tcp -j REJECT
# open a shell with internet access
sudo -g internet -s
By running the above script, you will have a shell in which you can run applications with internet access.
Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save
and iptables-restore
shell commands.
add a comment |
I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s
.
To recap what's in the post I linked above:
Create the "internet" group by typing the following into a shell:
sudo groupadd internet
Ensure that the user who will run the script below is added to the
sudo
group in/etc/group
. If you end up modifying this file, then you will need to log out and back in before the script below will work.
Create a script containing the following, and run it:
#!/bin/sh
# Firewall apps - only allow apps run from "internet" group to run
# clear previous rules
sudo iptables -F
# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
# also allow local connections
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT
# reject packets for other users
sudo iptables -A OUTPUT -p tcp -j REJECT
# open a shell with internet access
sudo -g internet -s
By running the above script, you will have a shell in which you can run applications with internet access.
Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save
and iptables-restore
shell commands.
I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s
.
To recap what's in the post I linked above:
Create the "internet" group by typing the following into a shell:
sudo groupadd internet
Ensure that the user who will run the script below is added to the
sudo
group in/etc/group
. If you end up modifying this file, then you will need to log out and back in before the script below will work.
Create a script containing the following, and run it:
#!/bin/sh
# Firewall apps - only allow apps run from "internet" group to run
# clear previous rules
sudo iptables -F
# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
# also allow local connections
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT
# reject packets for other users
sudo iptables -A OUTPUT -p tcp -j REJECT
# open a shell with internet access
sudo -g internet -s
By running the above script, you will have a shell in which you can run applications with internet access.
Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save
and iptables-restore
shell commands.
edited Sep 21 '15 at 1:43
answered Aug 26 '15 at 19:12
MarkMark
1,1911014
1,1911014
add a comment |
add a comment |
For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.
The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.
None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.
See:
http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/
There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.
add a comment |
For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.
The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.
None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.
See:
http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/
There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.
add a comment |
For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.
The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.
None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.
See:
http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/
There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.
For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.
The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.
None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.
See:
http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/
There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.
answered Mar 20 '13 at 17:06
PantherPanther
78.8k14157259
78.8k14157259
add a comment |
add a comment |
It was in iptables up to kernel version 2.6.24
If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it.
for some reason they took it out, so no its not microsoft.
http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html
debian-administration.org/?article=120
– not really
Sep 9 '13 at 4:12
add a comment |
It was in iptables up to kernel version 2.6.24
If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it.
for some reason they took it out, so no its not microsoft.
http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html
debian-administration.org/?article=120
– not really
Sep 9 '13 at 4:12
add a comment |
It was in iptables up to kernel version 2.6.24
If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it.
for some reason they took it out, so no its not microsoft.
http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html
It was in iptables up to kernel version 2.6.24
If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it.
for some reason they took it out, so no its not microsoft.
http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html
answered Sep 9 '13 at 4:11
not reallynot really
111
111
debian-administration.org/?article=120
– not really
Sep 9 '13 at 4:12
add a comment |
debian-administration.org/?article=120
– not really
Sep 9 '13 at 4:12
debian-administration.org/?article=120
– not really
Sep 9 '13 at 4:12
debian-administration.org/?article=120
– not really
Sep 9 '13 at 4:12
add a comment |
Try Leopard Flower. It has a GUI and per-application restrictions.
add a comment |
Try Leopard Flower. It has a GUI and per-application restrictions.
add a comment |
Try Leopard Flower. It has a GUI and per-application restrictions.
Try Leopard Flower. It has a GUI and per-application restrictions.
edited Sep 6 '17 at 20:03
Eliah Kagan
82k21227365
82k21227365
answered Dec 13 '11 at 9:55
brandbrand
111
111
add a comment |
add a comment |
No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.
If you don't like what a program is doing on the network when you run it, then don't run that program.
6
Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.
– Eliah Kagan
Mar 20 '13 at 13:40
And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!
– Eliah Kagan
Mar 20 '13 at 13:46
No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.
– Panther
Mar 20 '13 at 16:56
"Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.
– trusktr
Aug 3 '13 at 6:16
add a comment |
No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.
If you don't like what a program is doing on the network when you run it, then don't run that program.
6
Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.
– Eliah Kagan
Mar 20 '13 at 13:40
And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!
– Eliah Kagan
Mar 20 '13 at 13:46
No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.
– Panther
Mar 20 '13 at 16:56
"Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.
– trusktr
Aug 3 '13 at 6:16
add a comment |
No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.
If you don't like what a program is doing on the network when you run it, then don't run that program.
No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.
If you don't like what a program is doing on the network when you run it, then don't run that program.
answered May 25 '11 at 13:35
psusipsusi
31.1k15088
31.1k15088
6
Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.
– Eliah Kagan
Mar 20 '13 at 13:40
And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!
– Eliah Kagan
Mar 20 '13 at 13:46
No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.
– Panther
Mar 20 '13 at 16:56
"Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.
– trusktr
Aug 3 '13 at 6:16
add a comment |
6
Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.
– Eliah Kagan
Mar 20 '13 at 13:40
And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!
– Eliah Kagan
Mar 20 '13 at 13:46
No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.
– Panther
Mar 20 '13 at 16:56
"Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.
– trusktr
Aug 3 '13 at 6:16
6
6
Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.
– Eliah Kagan
Mar 20 '13 at 13:40
Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.
– Eliah Kagan
Mar 20 '13 at 13:40
And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!
– Eliah Kagan
Mar 20 '13 at 13:46
And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter!
– Eliah Kagan
Mar 20 '13 at 13:46
No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.
– Panther
Mar 20 '13 at 16:56
No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.
– Panther
Mar 20 '13 at 16:56
"Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.
– trusktr
Aug 3 '13 at 6:16
"Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.
– trusktr
Aug 3 '13 at 6:16
add a comment |
Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:
firejail --net=none firefox
This command will start Firefox browser without internet access.
Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.
add a comment |
Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:
firejail --net=none firefox
This command will start Firefox browser without internet access.
Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.
add a comment |
Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:
firejail --net=none firefox
This command will start Firefox browser without internet access.
Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.
Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:
firejail --net=none firefox
This command will start Firefox browser without internet access.
Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.
answered Jan 26 at 12:27
Dimitar IIDimitar II
1314
1314
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f45072%2fhow-to-control-internet-access-for-each-program%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
on mac there is a software called little snitch that does this. I think there is a windows version also...
– Alvar
May 25 '11 at 13:47