How to block internet access for wine applications?

Question

How can one prevent specific or any wine applications from accessing the internet?

When using certain applications under Windows, they were trying to access the internet from time to time without any obvious reason. I was able to prevent that behaviour with a personal firewall back then. Unfortunately I did not find an application level firewall in Ubuntu up to now. This is especially annoying when I am abroad using data-roaming with my 3G modem.

You can try my noinet preload.
http://askubuntu.com/questions/249826/how-to-disable-internet-connection-for-a-single-process/393013#393013 — escor, Dec 19 '13 at 13:35
Can smb. extend the answers / provide an additional answer that works with nftables? — dirdi, Nov 23 '19 at 15:45

score 39 · Accepted Answer · edited Jan 13 '19 at 07:02

39

There's a nice tutorial on blocking any given program from accessing the Internet on the Ubuntu forums.

Steps

sudo addgroup no-internet  # Create group "no-internet"
sudo adduser $USER no-internet  # Add current user to no-internet

iptables rule to prevent that group from accessing the network

sudo iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP
sudo ip6tables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP # To also block IPv6 traffic

Process you don't want to have internet access using sg or sudo -g (execute command as different group ID):

sg no-internet -c "processFullPath args"

It basically involves creating a new group, denying it Internet access, and then running any program you want to restrict as that group ID. So in your case, you would just always run wine using the method described in the tutorial.

edited Jan 13 '19 at 07:02

Pablo Bianchi

15,657

answered Dec 30 '10 at 01:27

goric

3,816

2

Thank you, that's it! But I don't understand, why someone has voted you down. Your answer is exactly what I had hoped for. – YSN Dec 30 '10 at 22:03
It's a great answer if you follow the link, but I suspect the DV was because it is a mostly link answer. If you want the how, you have to go to the forums. That said, it got an upvote from me. – RobotHumans Dec 17 '15 at 04:40
1

To elaborate: to run a command under the new group use: sg no-internet -c "command args". Also note: apparently this iptable rule does not drop pings, so if you gonna test whether it's working, use netcat instead. EDIT: I also noted: it doesn't drop IPv6 connections, so you only have blocked UDP and TCP of IPv4. – Hi-Angel Jan 11 '19 at 17:47
1

@Hi-Angel Probably should be the same args but with ip6tables. – Pablo Bianchi Jan 13 '19 at 06:57
This could be further revised to indicate how to always make this match that no-internet group without having to execute sg no-internet -c ... - force the user's default group who you want to block to no-internet - sudo usermod -g no-internet USERNAME will force no-internet as the user's default group, and then always match the rule without having to specify the group to execute something as. – Thomas Ward Mar 03 '20 at 21:01

score 17 · Answer 2 · edited Jan 09 '19 at 21:23

17

Make a group and become a member of it

addgroup wino

adduser $USER wino

Now enter an iptables rule to block that group from using the internet you can type this on the terminal and hit enter

iptables -A OUTPUT -m owner --gid-owner wino -j REJECT

To make this rule run after each reboot with systemd use iptables-persistent save from iptables-persistent package.

If using rc-local: You can put the rule in /etc/rc.local. Make sure the last line in that text file says exit 0.

Usage example:

sg wino "wine executablename.exe"

You need the " " and also type wine before the programs name.

edited Jan 09 '19 at 21:23

Pablo Bianchi

15,657

answered Jul 14 '13 at 17:35

mark

171
1
3

2

I've edited your usermod command to add -a. Without -a, you will end up removing the user from all other supplementary groups (like admin, cdrom, etc.)! It is also more convenient to use addgroup/adduser. – gertvdijk Jul 14 '13 at 17:50
was just about to fix the -a myself. yes do not start wine as root !. only need root to make the iptables rule. the usage example was for normal user after doing those steps. – mark Jul 14 '13 at 17:52
ah sorry, my mistake. removed comment. – gertvdijk Jul 14 '13 at 17:53
@gertvdijk I edited the commands once more, adduser <username> <groupname> is the sensible thing here. – guntbert Jul 14 '13 at 17:58
1

is there any possibility to make it default that internet is blocked for that program (i.e. making the sg call obsolete, e.g. by chowning the program) ? – bonanza Sep 06 '15 at 13:13
I need to run it using cgexec to also limit memory usage, any idea how to use it instead of sg ? just to test it, as it seems a system (and not wine specific), I ran sg wino google-chrome or with links2 and both were able to connect, but ping failed! could someone explain that (specific question here)? – Aquarius Power Oct 14 '17 at 00:43

mikakun · Answer 3 · 2022-08-30T20:52:53.120

11

EDIT few years later for software not fan of proxy settings & overall a much cleaner & simpler answer :

use bublewrap + unshare to launch your app :

bwrap --unshare-net wine yourapp.exe

changing proxies / original answer

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy"=dword:00000001
"ProxyEnable"=dword:00000001
"ProxyHttp.1.1"=dword:00000000
"ProxyOverride"="<local>"
"ProxyServer"="http://NonExistantProxyAddress:80"
"User Agent"="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"

to add to your wine (or playonlinux virtual drives) registry :

much simpler solution indeed than using groups (& does not prevent pol to connect, just the apps)

credits to http://ootput.wordpress.com/2011/06/06/block-wine-applications-from-the-internet/comment-page-1/

edited Aug 30 '22 at 20:52

answered May 27 '14 at 21:25

mikakun

197

7

this only blocks access for software which honors proxy settings, most dont obviously... so this is not a valid solution! – K1773R Mar 24 '15 at 08:35
1

like which one ? (all software i've been using with pol were blocked indeed). hence i'm not convinced by your statement : it is valid in many cases, might not be in some, but which one ? – mikakun Mar 25 '15 at 20:34
3

no its not. eg; any software that just connects to a host:port via TCP will continue to function. A HTTP proxy setting is something a program has to recognize and honor. If you dont believe me, get/compile software which connects to another host via TCP and see it for yourself. – K1773R Mar 26 '15 at 21:47
@K1773R finally had to work around this, updated my desktop shortcut to bwrap --unshare-net wine mywindowsapp.exe – mikakun Jun 06 '22 at 01:02

Hi-Angel · Answer 4 · 2020-05-17T14:29:40.207

Simply run app as:

systemd-run --scope -p IPAddressDeny=any wine myapp.exe

The IPAddressDeny=… allows to deny access to a set of IPv4 and IPv6 addresses. Special value any disables access to all of them for all IP-based protocols, like TCP, UDP, ICMP, SCTP, etc.

Example of usage (note: for this demo I had to fix wine ping, since it was timing out on me):

$ export WINEDEBUG=-all   # remove debug prints for the demo
$ wine ping localhost     # check that ping works
Pinging localhost [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time=1ms TTL=64

Ping statistics for 127.0.0.1
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 1ms, Average = 0ms
$ systemd-run --scope -p IPAddressDeny=any wine ping localhost   # well, not anymore
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to manage system services or other units.
Multiple identities can be used for authentication:
 1.  constantine
 2.  archie
Choose identity to authenticate as (1-2): 1
Password:
==== AUTHENTICATION COMPLETE ====
Running scope as unit: run-u28936.scope
Pinging localhost [127.0.0.1] with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 127.0.0.1
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

For the rest of the answer I gonna copy text from my other similar answer on unix.se:

Note: this gonna ask you for a password but the app gets launched as your user. Do not allow this to delude you into thinking that the command needs sudo, because that would cause the command to run under root, which hardly was your intention.

If you want to not enter the password (after all, you already own your resources, why would you need a password to limit them), you could use --user option, however for this to work you gonna need cgroupsv2 support enabled, which right now requires to boot with systemd.unified_cgroup_hierarchy kernel parameter.

This is the proper answer or any system that uses systemd. – OneOfOne Jun 24 '20 at 22:32 — OneOfOne, Jun 24 '20 at 22:32

Alwin · Answer 5 · 2021-11-13T15:49:18.737

0

It is not the cleanest solution, but as a temporary solution for PlayOnLinux users, it is easy and fast to setup.

Go to Settings > Internet

Enable Set a proxy and enter a website without a proxy e.g. stackoverflow.com and random user name and password. The programs won't reach the proxy server or the internet.

Warning: Be aware, that this will also prevent the install dialog from searching and installing new software!

edited Nov 13 '21 at 15:49

answered Nov 13 '21 at 15:42

Alwin

383

Same caveat as mikakun's answer. No good. – Marc.2377 Apr 25 '22 at 07:34
@Marc.2377 I know – Alwin Apr 25 '22 at 11:12
1

@Alwin07 launch with bwrap : bwrap --unshare-net wine mywindowsapp.exe – mikakun Aug 30 '22 at 20:48

How to block internet access for wine applications?

5 Answers5

Linked