Once upon a time programs would ask your permission before using your resources. The idea that a program would phone-home and connect to a remote system host would be appalling. Today this practice is common place. Applications do anything from just checking for latest versions to submitting tracking and usage metrics. Wouldn’t it be great to have the ability to run an application or command without network access?
Thankfully, there is an easy way to do just this with Linux groups and iptables. I’ve written small wrapper script that enables you to easily run a command or application without network access.
Some setup required
To make the magic work, a few things must be setup first. Start by adding a nonet group and remove the password.
|
1 2 |
groupadd nonet gpasswd -r nonet |
Then you’ll need to add a iptables rule to reject all packets using that group id. If you’re running a Debian/Ubuntu distribution this can be accomplished via a script place in /etc/network/if-pre-up.d/nonet.
|
1 2 3 |
#!/bin/bash /sbin/iptables -I OUTPUT -m owner --gid-owner nonet -j REJECT \ --reject-with icmp-net-unreachable |
Wrapper script
The next step is my wrapper script. For added safety, the script checks for a few conditions before running switch group.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
#!/bin/bash # nonet - runs command with limited/no network access # Copyright 2012 Solorvox <solorvox@epic.geek.nz> # https://epic.geek.nz/page/2012/12/18/bad-program-no-network/ # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. GROUP="nonet" # IP address to test that group CANNOT access. If ping to this # address is successful, then something is wrong with setup. # Good example could be your router's external IP TESTIP="192.168.178.1" # Ensure we have a group first sg $GROUP "pwd > /dev/null" RCODE=$? if [ $RCODE -ne 0 ]; then echo "ERROR: Group [$GROUP] was not found!" echo "Add via groupadd $GROUP; gpasswd -r $GROUP;" exit -1 fi # test networking to ensure firewall is working before running command # you could put an external host such as google.com, but this will be faster sg $GROUP "ping -c 1 $TESTIP > /dev/null 2>&1" RCODE=$? if [ $RCODE -eq 0 ]; then echo "ERROR: Network access to [$TESTIP] detected!" echo "" echo "Ensure you have setup program. Add a script to /etc/network/if-pre-up.d/$GROUP" echo "/sbin/iptables -I OUTPUT -m owner --gid-owner $GROUP -d \\! <allowed_subnet>/24 -j REJECT --reject-with icmp-net-unreachable " exit -1 fi COMMAND="$1" shift for arg; do COMMAND="$COMMAND \"$arg\"" done sg $GROUP "$COMMAND" |
Download: nonet
Download and install the above script in your path, $HOME/bin for example. Make sure you chmod +x nonet first. You’re then ready to run commands.
|
1 2 3 |
nonet ping www.google.com nonet firefox nonet wine somefile.exe |
All child threads from the main parent will inherit the nonet group and therefore have no internet access. This method can be expanded for additional permissions by using more groups.
LAN/Localhost only
This is an example of using the above method to allow localhost + local area network access only. Use where you want an application to have access to say a local server, but not talk to the outside world. Script is for /etc/network/if-pre-up.d/lanonly.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
#!/bin/bash GROUP="lanonly" LAN="10.0.0.0/24" LOCALHOST="127.0.0.0/8" IPTABLES=/sbin/iptables $IPTABLES -N $GROUP # route all traffic from programs with group id to the new chain $IPTABLES -I OUTPUT -m owner --gid-owner $GROUP -j $GROUP # allow LAN subnet and localhost $IPTABLES -A $GROUP -d $LAN -j ACCEPT $IPTABLES -A $GROUP -d $LOCALHOST -j ACCEPT # anything past this point will be rejected $IPTABLES -A $GROUP -j REJECT --reject-with icmp-net-unreachable |
Recent Comments