Ifound a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.

1. Create a groupno-internet. Donot join this group

   sudo addgroup no-internet

2. Add a rule to iptables that prevents all processes belonging to the groupno-internet from using the network (useip6tables to also prevent IPv6 traffic)

   sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP

3. Executesudo -g no-internet YOURCOMMAND instead ofYOURCOMMAND.

You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding

%sudo     ALL=(:no-internet)      NOPASSWD: ALL

or, something similar withsudo visudo

Use theiptables-save andiptables-restore to persist firewall rules.

• 1
  I tried your guide,sudo -g no-internet firefox connects faster than default one. It doesn't work.

  kenn

  – kenn

  2014-04-14 12:22:20 +00:00

  CommentedApr 14, 2014 at 12:22
• 2
  @kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that.

  Tim

  – Tim

  2014-04-14 13:53:49 +00:00

  CommentedApr 14, 2014 at 13:53
• I rebooted and applied above rules again with no luck

  kenn

  – kenn

  2014-04-14 14:32:38 +00:00

  CommentedApr 14, 2014 at 14:32
• 2
  worked perfectly for me, even with firefox. thank you!

  Kostanos

  – Kostanos

  2018-08-08 23:09:35 +00:00

  CommentedAug 8, 2018 at 23:09
• 2
  This doesn't seem to work for me either, on Ubuntu 19.04. I did have to install iptables-persistent in order to allow the changes to be saved between reboots. (So you might want to add that to the solution above). However, sudo -g no-internet firefox does not restrict Firefox from accessing internet. Conceptually, this solution seems like it should work. Is there something fundamental that is being overlooked? For example do we need to setup BOTH ipv4 and ipv6 to make this work?

  Enterprise

  – Enterprise

  2019-05-10 19:33:12 +00:00

  CommentedMay 10, 2019 at 19:33

NOTE: Douane is no longer actively developed and is reported to not work in later Ubuntu versions. This solution may not work, but the answer is kept as is for historical reasons.

In case you're still looking for this kind of application, I am currently developing exactly that application:http://douaneapp.com/https://gitlab.com/douaneapp/Douane

My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.

Have a look at the website ;-)

• Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think.

  Aquarius Power

  – Aquarius Power

  2014-10-08 04:47:29 +00:00

  CommentedOct 8, 2014 at 4:47
• You can open feature request on Github (github.com/Douane/Douane/issues) :)

  ZedTuX

  – ZedTuX

  2014-10-08 09:50:25 +00:00

  CommentedOct 8, 2014 at 9:50
• 2
  uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu.

  azerafati

  – azerafati

  2016-03-14 14:06:14 +00:00

  CommentedMar 14, 2016 at 14:06
• 1
  Douaneapp.com is back ! :)

  ZedTuX

  – ZedTuX

  2019-02-04 19:17:50 +00:00

  CommentedFeb 4, 2019 at 19:17
• 1
  Hey @darksoulsong, I'm still working on it, but with a very little amount of time, unfortunately. Join us ongitter.im/Douane/… in order to get the most up-to-date info!

  ZedTuX

  – ZedTuX

  2020-06-15 08:54:33 +00:00

  CommentedJun 15, 2020 at 8:54

Another option isfirejail. It runs the application inside sandbox where you control if the application could see the network:

firejail --net=none firefox

This command will start Firefox browser without internet access.Note that the firejail distribution in the Ubuntu repo isoutdated - better download its latest LTS version from the firejail home page.

• 2
  Very lightweight and very useful. Thanks for sharing!

  Exterminator13

  – Exterminator13

  2020-04-06 13:48:27 +00:00

  CommentedApr 6, 2020 at 13:48

There is aPerl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).

• I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :)

  guerda

  – guerda

  2011-05-25 11:13:29 +00:00

  CommentedMay 25, 2011 at 11:13

Running a program under another user will use the config files for that user and not yours.

Here is a solution that does not require modifying the firewall rules, and runs under the same user (viasudo) with a modified environment, where your user ismy_user and the app you want to run ismy_app:

# run app without access to internetsudo unshare -n sudo -u my_user my_app

For more details seeman unshare andthis answer.

Linux GUI firewall

If you are looking for a GUI firewall I've had good results withOpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from thegithub page worked for me.

• 1
  It's now possible to use without root:unshare --net --user --map-current-user my_app

  etam1024

  – etam1024

  2024-10-28 09:30:39 +00:00

  CommentedOct 28, 2024 at 9:30

There is already a firewall in Ubuntu,ufw, but it is disabled by default. You can enable and use it by the command line or its frontend,gufw, that is installable directly from the Ubuntu Software Centre.

If you need to block the internet access to a specific application, you can tryLeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:

I have found the solution postedhere to be a good one. It involves creating a user-group for which internet access isallowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell withsudo -g internet -s.

To recap what's in the post I linked above:

1. Create the "internet" group by typing the following into a shell:sudo groupadd internet

2. Ensure that the user who will run the script below is added to thesudo group in/etc/group. If you end up modifying this file, then you will need to log out and back in before the script below will work.

3. Create a script containing the following, and run it:

   #!/bin/sh# Firewall apps - only allow apps run from "internet" group to run# clear previous rulessudo iptables -F# accept packets for internet groupsudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT# also allow local connectionssudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPTsudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT# reject packets for other userssudo iptables -A OUTPUT -p tcp -j REJECT# open a shell with internet accesssudo -g internet -s

4. By running the above script, you will have a shell in which you can run applications with internet access.

Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use theiptables-save andiptables-restore shell commands.

@psusi:I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy". Just saying "NO" without understanding a use case is somewhat narrow minded.http://www.debian-administration.org/article/120/Application_level_firewalling

EDIT bodhi.zazen

NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED

SEE -http://www.spinics.net/lists/netfilter/msg49716.html

commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph HellwigDate: Sun Aug 14 17:33:59 2005 -0700

[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

Rip out cmd/sid/pid matching since its unfixable broken and stands in the way of locking changes to tasklist_lock.

Signed-off-by: Christoph Hellwig <hch@xxxxxx>Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>

• 2
  To anyone considering flagging this: This should not be a comment instead, itanswers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set upiptables to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference).

  Eliah Kagan

  – Eliah Kagan

  2013-03-20 13:50:51 +00:00

  CommentedMar 20, 2013 at 13:50
• 2
  iptables does NOT filter by application.

  Panther

  – Panther

  2013-03-20 16:58:33 +00:00

  CommentedMar 20, 2013 at 16:58
• That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name.

  psusi

  – psusi

  2013-03-21 13:24:23 +00:00

  CommentedMar 21, 2013 at 13:24
• 3
  @psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.)

  Eliah Kagan

  – Eliah Kagan

  2013-03-21 17:27:55 +00:00

  CommentedMar 21, 2013 at 17:27
• This option was removed from the kernel in 2005, 8 years before this answer was given -spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables.

  Panther

  – Panther

  2017-07-20 22:49:05 +00:00

  CommentedJul 20, 2017 at 22:49

Building on original answer, you can assign the application group tono-internet, eliminating the need to run the application withsg no-internet [CMD] orsudo -g no-internet [CMD].

1. Create the groupno-internet.

   sudo addgroup no-internet

2. Addiptables/ip6tables rules to block all network traffic for processes in theno-internet group.

   sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j REJECTsudo ip6tables -A OUTPUT -m owner --gid-owner no-internet -j REJECT

   Save and restore the firewall rules usingiptables-save andiptables-restore.

3. Set the application's group tono-internet and modify the set-group-ID bit (SGID).

   sudo chgrp ip_block [CMD]sudo chmod g+s [CMD]

   Replace[CMD] with the application's executable.

4. To restore the application internet access, reset the application's group and SGID:

   sudo chgrp root [CMD]sudo chmod g-s [CMD]

Thesg no-internet "[CMD]" may be useful for complex cases where the initial application spans other sub-processes which are not affected by the SGID bit.

For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.

The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.

None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.

See:

http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/

There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.

It was in iptables up to kernel version 2.6.24If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it. for some reason they took it out, so no its not microsoft.http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html

• debian-administration.org/?article=120

  not really

  – not really

  2013-09-09 04:12:26 +00:00

  CommentedSep 9, 2013 at 4:12

TryLeopard Flower. It has a GUI and per-application restrictions.

No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.

If you don't like what a program is doing on the network when you run it, then don't run that program.

• 9
  Microsoft's firewall wasnot the first major firewall to offer this functionality. It wasn't even the firstWindows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore,there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet.

  Eliah Kagan

  – Eliah Kagan

  2013-03-20 13:40:55 +00:00

  CommentedMar 20, 2013 at 13:40
• And, as several other answers can attest, per-application firewall restrictions arequite possible; this functionality is built into iptables/netfilter!

  Eliah Kagan

  – Eliah Kagan

  2013-03-20 13:46:21 +00:00

  CommentedMar 20, 2013 at 13:46
• No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application.

  Panther

  – Panther

  2013-03-20 16:56:45 +00:00

  CommentedMar 20, 2013 at 16:56
• "Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed.

  trusktr

  – trusktr

  2013-08-03 06:16:28 +00:00

  CommentedAug 3, 2013 at 6:16

• firewall
• iptables