Internet Access Restriction for Linux Applications

Sometimes it is necessary to start a program, having previously blocked access to the Internet for it. There is a fairly simple trick to solve this problem.

So, the idea is to set a specific group ID when the application starts, which will be a signal to block access to the netfilter.

Step 1. Create a marker group and add yourself to it.

Create a group (In our case, the group will be called noinet ):
sudo groupadd noinet

Add to it the current user:
sudo gpasswd -a `id -un` noinet

')

Step 2. Create a rule for iptables that will be executed before each lifting of the network interface

Create a file in the directory /etc/network/if-pre-up.d
sudo vim /etc/network/if-pre-up.d/inet_access_blocking_rule

with the following content:
#!/bin/bash
iptables -A OUTPUT -m owner --gid-owner noinet -j DROP

Do not forget to make it executable:
sudo chmod +x /etc/network/if-pre-up.d/inet_access_blocking_rule

Step 3. Create a startup script that sets the group-sign

Place the script in / usr / local / bin
sudo vim /usr/local/bin/noinet

The content of the script is simple:
#!/bin/bash
sg noinet "$*"

Again, don't forget to make it executable.
sudo chmod +x /usr/local/bin/noinet

Step 4. Reboot the system

Surely this can be done easier, but in the case of karmic out-of-box, the situation is as follows:

sudo service networking restart reports:
restart: Unknown instance:

sudo initctl restart networking reports:
initctl: Unknown instance:

sudo invoke-rc.d networking restart reports:
Ignoring unknown interface eth0 = eth0

In addition, in order to add a user to the group, you will have to re-login (this is at least restarting DE - sudo restart gdm ).
In general, if you just reboot, then all settings are made and entered into force.

Using

The use is simple:
noinet ping habrahabr.ru
noinet firefox

Hardcore linuksoidy step 3 can be omitted and use it all so :)
sg noinet "ping habrahabr.ru"
sg noinet "firefox"