SU_PYROW

No Internet

By SU_PYROW

There may be a time where you don't want a program to have access to the internet, this will solve that problem easily.

Create a group called "no-internet" and add your user as a member of this new group.

Create a script (in your PATH) called "ni" (No Internet) as follows:

sudo vi /sbin/ni
#!/bin/bash
sg no-internet "$1"

And make it executable:

sudo chmod +x /sbin/ni

Create a script called iptables_no-internet_rule

sudo vi /etc/rc.d/rc.iptables_no-internet_rule
#!/bin/bash

if [ -x  /etc/rc.d/rc.iptables_no-internet_rule]; then
  sh /etc/rc.d/rc.iptables_no-internet_rule
fi
echo Starting No-Internet rule...Done.

iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
#END
sudo chmod +x /etc/rc.d/rc.iptables_no-internet_rule

Enable the new firewall settings you made above:

sudo /etc/rc.d/rc.iptables_no-internet_rule

Logout and then log back in again to make the group permissions take effect.

You can now run any program without allowing that program to access the network by using this command:

ni "program_name"

Examples:

ni "ping www.yahoo.com"
ni "wine install.exe"
ni firefox

will all run but fail to access the Internet because ping, wine, and firefox are run using the ni script as the group no-internet, which has been barred from outputting anything to other networks. Note: if you are just running a single word command like firefox you don't need the quotes. Also note, for testing, make sure firefox isn't already running because then it will already have Internet access. Close it first and then run it preceeded by ni.

Options:

The above will actually prevent all outgoing network access by the programs run with ni; however, sometimes this may not be what you want. For example, certain local network access for games in wine might be acceptable. If you want to allow only local network access but still keep the Internet in general blocked, you can change the iptables config line in the file mentioned in Step 3 to the following:

iptables -A OUTPUT -m owner --gid-owner no-internet -d ! 192.168.0.0/24 -j DROP

change the 192.168.0.0 to match your local network as required.

Revert all changes:

The above changes will persist even after system reboot so you can always run any program with the "ni" script to prevent it from getting out on the network. However, if you no longer want to have this feature enabled, you can uninstall the above by simply removing the two files created like this:

sudo rm /sbin/ni
sudo rm /etc/rc.d/rc.iptables_no-internet_rule

Remove the group "no-internet"

This document was last modified on: 133120 13:08:26 UTC