81

I would like to use a software to control which program may connect to the internet. I know that this behaviour is associated with the word "firewall", but some Linux users are very upset if somebody demands a Personal Firewall. I don't want to upset you by demand such a program.
I don't want to "secure ports" or other stuff a Personal Firewall promises on Windows. I looked into iptables but it does not fit my requirements.

I saw an excellent answer here ("How to block internet access for wine applications") but it's very uncomfortable to set this up.

Is there a software that asks for each program if it may access the internet?

Community
  • 1
guerda
  • 1,181
  • on mac there is a software called little snitch that does this. I think there is a windows version also... – Alvar May 25 '11 at 13:47

12 Answers12

40

I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.

  1. Create a group no-internet. Do not join this group

    sudo addgroup no-internet

  2. Add a rule to iptables that prevents all processes belonging to the group no-internet from using the network (use ip6tables to also prevent IPv6 traffic)

    sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
  3. Execute sudo -g no-internet YOURCOMMAND instead of YOURCOMMAND.

You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding

%sudo     ALL=(:no-internet)      NOPASSWD: ALL

or, something similar with sudo visudo

Use the iptables-save and iptables-restore to persist firewall rules.

Pavak Paul
  • 1,234
  • 3
  • 14
  • 31
Tim
  • 601
  • 1
    I tried your guide, sudo -g no-internet firefox connects faster than default one. It doesn't work. – kenn Apr 14 '14 at 12:22
  • 2
    @kenn I can only say that it works fine here. I would guess that you are doing something wrong when creating the rule. Not saving the rule, not making the script executable or something like that. – Tim Apr 14 '14 at 13:53
  • I rebooted and applied above rules again with no luck – kenn Apr 14 '14 at 14:32
  • It was sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP for me, sudo was required. – Klesun Mar 29 '18 at 16:38
  • 2
    worked perfectly for me, even with firefox. thank you! – Kostanos Aug 08 '18 at 23:09
  • This is great. I hate solutions where you have to install additional software etc. – callmebob Sep 14 '18 at 08:22
  • 2
    This doesn't seem to work for me either, on Ubuntu 19.04. I did have to install iptables-persistent in order to allow the changes to be saved between reboots. (So you might want to add that to the solution above). However, sudo -g no-internet firefox does not restrict Firefox from accessing internet. Conceptually, this solution seems like it should work. Is there something fundamental that is being overlooked? For example do we need to setup BOTH ipv4 and ipv6 to make this work? – Enterprise May 10 '19 at 19:33
  • Better option is to change gid to root in your iptable rule then setup a second allow rule which one can then sudo as for allowing access or applying that group to the process's file if needed regularly.

    think of it defaulting to a blacklist and whitelisting allowed processes instead of an opt-in blacklist.

     – Dwight Spencer Oct 02 '20 at 04:37
  • Is there an equivalent for nftables? – Pedro Gimeno May 17 '21 at 18:51
  • According to iptables-translate, the NFTables equivalent is: nft add rule ip filter OUTPUT skgid "$(getent group no-internet|cut -f3 -d:)" counter drop – Pedro Gimeno May 24 '21 at 23:10
  • Nowadays, you probably also need to do it for IPv6 using a command like sudo ip6tables -A OUTPUT -m owner --gid-owner no-internet -j DROP and make it persistent using sudo service netfilter-persistent save (after installing the netfilter-persistent package). – Tey' Oct 04 '22 at 02:19
  • Hi! If I want allow ONLY the group has-internet I do: sudo iptables -A OUTPUT -m owner !--gid-owner has-internet -j DROP , when I do sudo -g has-internet YOURCOMMAND (i.e. sudo -g has-internet ping somerandomsite.com cannot connect... Why? Should I join or not the has-internet group? Should I use the option --suppl-groups in the rule? Thanks!!!!! – codeispoetry Mar 07 '23 at 16:28
  • PS I've created a new question: https://askubuntu.com/posts/1458243/edit – codeispoetry Mar 07 '23 at 16:54
38

NOTE: Douane is no longer actively developed and is reported to not work in later Ubuntu versions. This solution may not work, but the answer is kept as is for historical reasons.

In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane

My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.

Have a look at the website ;-)

screen shot

Thomas Ward
  • 74,764
ZedTuX
  • 643
  • Cool! I looked also at ppa but no package there despite application is created there. Also I wonder if it could show the ip resolved to a readable site name? And, I am going to follow the compilation instructions, I saw many tips for ubuntu dep packages there, and I will use checkinstall to create my local copy of .deb packages to easily manage upgrades (remove/install). May be checkinstall could be used to create your distributables too I think. – Aquarius Power Oct 08 '14 at 04:47
  • You can open feature request on Github (https://github.com/Douane/Douane/issues) :) – ZedTuX Oct 08 '14 at 09:50
  • 2
    uh, it seems exactly what I needed!! But I can't find a package to install it on Ubuntu. – azerafati Mar 14 '16 at 14:06
  • Still not package for Ubuntu? – Anwar Apr 30 '16 at 06:05
  • Nope, no none came to me regarding Ubuntu :( – ZedTuX Apr 30 '16 at 08:23
  • @ZedTuX can you make a Ubuntu package? –  Oct 17 '16 at 12:08
  • Sorry @MarkYisri I'm not a packager but I'll be more than happy to help someone in packaging Douane in any kind of package managers. – ZedTuX Oct 17 '16 at 13:04
  • @ZedTuX give me a bit to stab this, if it's not too complicated to convert into a buildable package, I'll run some test compiles automatically on a PPA; from there if all works to your satisfaction, then you can start pointing right at that PPA. (I have several workflows for different programs, so developing an automated workflow wouldn't be a problem heh). – Thomas Ward Apr 17 '17 at 13:26
  • @ThomasWard hey nice to read! Feel free to open an issue on Github so that I can better follow your progresses. – ZedTuX Apr 18 '17 at 15:58
  • @ZedTuX I'm far from ready packages, I've got a lot of things to deal with after all heh. – Thomas Ward Apr 18 '17 at 17:46
  • @ZedTuX is Douane abandoned? Site return 5xx http status, on Gitlab everything (like installation docs) points to non-existan urls on github. BTW if deb is too much cumbersome consider packaging to appimage/flatpack/snap. – Pablo Bianchi Jan 09 '19 at 21:47
  • Hello @PabloBianchi. Sorry about those issues. I have migrated to Gitlab in a quite quick and dirty way. Also I have all my websites down 'cause I need to some time to fix them all, but Douane is not abounded, it's just that I don't have enough time (baby stuff to do ;)) but if anyone is opening PR or issues, I'm available! Thank you for your comment and for your interest in Douane !! ;-) – ZedTuX Jan 10 '19 at 13:08
  • I fixed the broken links in the README.md file. – ZedTuX Jan 19 '19 at 11:46
  • 1
    Douaneapp.com is back ! :) – ZedTuX Feb 04 '19 at 19:17
  • Nonetheless I have to update a link on the website in order to point to Gitlab. – ZedTuX Feb 04 '19 at 19:18
  • The new website is online with all links fixed, a new "Roadmap" section and also I'm featuring the shiny new installer which automate the Douane installation with a single click (on the "Next" button ;)) – ZedTuX May 02 '20 at 12:21
  • @ZedTuX About the freeze bug, is it solved? I'm planning to install it on Ubuntu 18.04 – darksoulsong Jun 13 '20 at 12:38
  • 1
    Hey @darksoulsong, I'm still working on it, but with a very little amount of time, unfortunately. Join us on https://gitter.im/Douane/General?utm_source=share-link&utm_medium=link&utm_campaign=share-link in order to get the most up-to-date info! – ZedTuX Jun 15 '20 at 08:54
16

Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:

firejail --net=none firefox

This command will start Firefox browser without internet access. Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.

Dimitar II
  • 501
6

There is a Perl script in the German Ubuntu forum (Google-translated to English) that seems to do that. I never tried it and I didn't take a closer look at the script, but maybe it works for you. The description is in German only so you may need a translation service (like Google Translate; see above).

Sparhawk
  • 6,929
Florian Diesch
  • 87,389
  • I will have a look at it. It's interesting an may be the right tool. Unfortunately, there's no gui, but it shouldn't stop me :) – guerda May 25 '11 at 11:13
6

Running a program under another user will use the config files for that user and not yours.

Here is a solution that does not require modifying the firewall rules, and runs under the same user (via sudo) with a modified environment, where your user is my_user and the app you want to run is my_app:

# run app without access to internet
sudo unshare -n sudo -u my_user my_app

For more details see man unshare and this answer.

Linux GUI firewall

If you are looking for a GUI firewall I've had good results with OpenSnitch — it's not yet in ubuntu repos and I wouldn't call it production-level, but following the build steps from the github page worked for me.

ccpizza
  • 1,452
  • 17
  • 18
5

There is already a firewall in Ubuntu, ufw, but it is disabled by default. You can enable and use it by the command line or its frontend, gufw, that is installable directly from the Ubuntu Software Centre.

If you need to block the internet access to a specific application, you can try LeopardFlower, which is still in beta version and it is not available in the Ubuntu Software Centre:

Pablo Bianchi
  • 15,657
heiko81
  • 1,915
3

@psusi: I really wish people wouldn't peddle bad and not useful information. IPTables allows one to do this, so I'd hardly consider it "foolhardy". Just saying "NO" without understanding a use case is somewhat narrow minded. http://www.debian-administration.org/article/120/Application_level_firewalling

EDIT bodhi.zazen

NOTE - THIS OPTION WAS REMOVED FROM IPTABLES IN 2005, 8 YEARS BEFORE THIS ANSWER WAS POSTED

SEE - http://www.spinics.net/lists/netfilter/msg49716.html

commit 34b4a4a624bafe089107966a6c56d2a1aca026d4 Author: Christoph Hellwig Date: Sun Aug 14 17:33:59 2005 -0700

[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

Rip out cmd/sid/pid matching since its unfixable broken and stands in the way of locking changes to tasklist_lock.

Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Panther
  • 102,067
user141987
  • 39
  • 2
    To anyone considering flagging this: This should not be a comment instead, it answers the question that was asked. @user141987 I do recommend expanding this to provide more information about how to set up iptables to implement per-application restrictions, however. I recommend including the important information in your answer (and still providing the link, for reference). – Eliah Kagan Mar 20 '13 at 13:50
  • 2
    iptables does NOT filter by application. – Panther Mar 20 '13 at 16:58
  • That article appears to be misinformation since there is no such option. The reason why requests to create such an option in the past were rejected is because it would be inherently unreliable; an application can simply change its name. – psusi Mar 21 '13 at 13:24
  • 3
    @psusi Are you saying "If your kernel was compiled with CONFIG_IP_NF_MATCH_OWNER then you can configure your iptables firewall to allow or reject packets on a per-command basis" is incorrect? Or simply that most kernels don't include the option? If this is incorrect, are there sources of information that debunk it? (Also, please note that the primary purpose of per-application firewall restrictions is not to try to make it perfectly safe to run untrusted applications. The purpose is primarily to give the user a measure of control beyond applications' built-in configuration options.) – Eliah Kagan Mar 21 '13 at 17:27
  • This option was removed from the kernel in 2005, 8 years before this answer was given - http://www.spinics.net/lists/netfilter/msg49716.html and despite claims to the contrary is inaccurate, you can NOT application filter with iptables. – Panther Jul 20 '17 at 22:49
3

I have found the solution posted here to be a good one. It involves creating a user-group for which internet access is allowed, and setting up firewall rules to allow access only for this group. The only way for an application to access the internet is if it is run by a member of this group. You can run programs under this group by opening a shell with sudo -g internet -s.

To recap what's in the post I linked above:

  1. Create the "internet" group by typing the following into a shell: sudo groupadd internet

  2. Ensure that the user who will run the script below is added to the sudo group in /etc/group. If you end up modifying this file, then you will need to log out and back in before the script below will work.

  3. Create a script containing the following, and run it:

    #!/bin/sh
# Firewall apps - only allow apps run from "internet" group to run

# clear previous rules
sudo iptables -F

# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT

# also allow local connections
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT

# reject packets for other users
sudo iptables -A OUTPUT -p tcp -j REJECT

# open a shell with internet access
sudo -g internet -s

  4. By running the above script, you will have a shell in which you can run applications with internet access.

Note that this script doesn't do anything to save and restore your firewall rules. You may wish to modify the script to use the iptables-save and iptables-restore shell commands.

Mark
  • 1,469
1

For better or worse, Linux uses a different approach. There is no simple graphical interface to offer this functionality. There are many discussions on this topic on the internet and you can find interesting discussions if you google search. While debate is interesting, to date there has not been a dedicated group of programmers wanting to write and maintain this functionality.

The tools that offer this functionality in Linux are Apparmor, Selinux, and Tomoyo.

None of these tools are overly easy to learn and all have advantages and disadvantages. Personally I prefer SELinux, although SELinux has a steeper learning curve.

See:

http://www.linuxbsdos.com/2011/12/06/3-application-level-firewalls-for-linux-distributions/

There was (is) an application that has been referenced already, leopardflower. I am not sure of the status / maintance.

Panther
  • 102,067
1

It was in iptables up to kernel version 2.6.24 If you are running a 2.x - 2.6.24 machine and your kernel has it complied in you can do it. for some reason they took it out, so no its not microsoft. http://cateee.net/lkddb/web-lkddb/IP_NF_MATCH_OWNER.html

not really
  • 11
  • 1
1

Try Leopard Flower. It has a GUI and per-application restrictions.

Eliah Kagan
  • 117,780
brand
  • 11
  • 1
-1

No, it isn't possible. It also isn't part of the traditional definition of a firewall. It is something that Microsoft came up with fairly recently in an attempt to paper around their fundamentally broken OS security problems. It is considered foolhardy and unworkable in the Linux community because one program that isn't allowed can simply run another program that is and gain access that way.

If you don't like what a program is doing on the network when you run it, then don't run that program.

psusi
  • 37,551
  • 9
    Microsoft's firewall was not the first major firewall to offer this functionality. It wasn't even the first Windows firewall to offer it. BlackIce Defender, ZoneAlarm, and a variety of other software firewalls for Windows predate the introduction of the Windows Internet Connection Firewall by years. Furthermore, there is no such consensus in the Linux community. We often use AppArmor (or SELinux) to constrain the behavior of applications (and I wonder if AppArmor could be adapted to this purpose...). There's no reason it's "wrong" to want to control what apps can access the Internet. – Eliah Kagan Mar 20 '13 at 13:40
  • And, as several other answers can attest, per-application firewall restrictions are quite possible; this functionality is built into iptables/netfilter! – Eliah Kagan Mar 20 '13 at 13:46
  • No, neither netfilter nor iptables can filter per application. They can filter by user and port but not per application. – Panther Mar 20 '13 at 16:56
  • "Can simply run another"???? Then obviously the creator of such a program that doesn't block the child processes of the target program is vastly flawed. – trusktr Aug 03 '13 at 06:16