1

I've followed this guide: How to block internet access for wine applications?

And created the following rules:

sudo addgroup no-internet  # Create group "no-internet"
sudo adduser $USER no-internet  # Add current user to no-internet
sudo iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP
sudo ip6tables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP # To also block IPv6 traffic

I then run the WINE app: sg no-internet -c "wine-stable pathToApp"

But how do I make this a persistent rule so that I don't have to run the WINE app via sg no-internet -c "wine-stable pathToApp" (i.e. even if I run the app directly) and also it will work even after reboot?

kat
  • 309

1 Answers1

0

The problem is the default primary group of the user. If the user was created and has a default user group of their username (which most cases will be this on a default setup), then the gid-owner check will not match because the process's owner Group ID is not no-internet, it's that user's group and not the target group ID you're trying to match.

NOTE: If you make this change to your currently running user who has sudo you will likely break things, so I suggest that you create a secondary test user* and test the Internet rules from there

Assuming that your iptables rules will persist, then make this additional change:

sudo usermod -g no-internet $USER

Then, test that user's connection to the Internet once they're logged in (ping 8.8.8.8 should say "operation not permitted", curl https://google.com should get a "Could not resolve" error, etc.).

* Note that I used deaduser which I created with the following command and then logged in as that user to test Internet connectivity: sudo useradd --create-home --user-group -g no-internet deaduser, and then logged in forcibly as that user with sudo su - deaduser to test the configuration of the rules.

The tests I did were ping 8.8.8.8 (which got an "operation not permitted" reply) and curl google.com (which got a "Could not resolve" error).

Thomas Ward
  • 74,764
  • But that blocks all internet for deaduser, right? I only want to block access for some apps running from my main user. I want sg no-internet -c "wine-stable pathToApp" to be the default and persistent way the particular WINE app (or any other app I setup) executes. The same thing one can do on Windows - block internet access for a particular executable and have that rule persistently saved in Windows' firewall rule set. – kat Mar 04 '20 at 17:30
  • 1
    @kat Windows firewall incorporates a application-level firewall filter. There's no such mechanism directly within Linux - there's no way to only filter Wine apps in this way unless the wine apps are specifically launched in the group with sg ... like you said you wanted to persist. The problem is, it would be easier to just set up a rule in AppArmor to disallow Wine to run. (Application level filtration is done at a different layer than the Layer2/Layer3 level that Wine interacts at) – Thomas Ward Mar 04 '20 at 17:35
  • Sorry to bother you again, but would you be able to please provide some info on how disallowing Wine via AppArmor works? Would it be a persistent solution - i.e. the default way Wine (and any Wine app) always runs? – kat Mar 13 '20 at 19:29
  • Unfortunstey I do not have the documentation on how to do this. A critical question though: if you do not want Wine apps to have internet during certain hours why not just disallow the running of wine apps during the timeframes you want to disallow the apps to be used? – Thomas Ward Mar 13 '20 at 22:09
  • I don't want the Wine apps to ever have internet access, not just during some hours. – kat Mar 14 '20 at 11:59
  • @kat ... that goes against what your specific question initially was. That said, I'm researching an apparmor solution. It looks trivial to block Wine core running, but since wine executes out of multiple locations it gets complicated to make work. I'm experimenting in a VM and will give you an update if I get a complete solution. – Thomas Ward Mar 14 '20 at 22:12
  • My initial question was for a persistent solution - i.e. always block internet access, although ideally only for some Wine apps, but a total Wine block would still be better than nothing. – kat Mar 20 '20 at 18:53