Bad program – no network


Once upon a time programs would ask your permission before using your resources.  The idea that a program would phone-home and connect to a remote system host would be appalling.  Today this practice is common place.  Applications do anything from just checking for latest versions to submitting tracking and usage metrics.  Wouldn’t it be great to have the ability to run an application or command without network access?

Thankfully, there is an easy way to do just this with Linux groups and iptables.  I’ve written small wrapper script that enables you to easily run a command or application without network access.

Some setup required

To make the magic work, a few things must be setup first.  Start by adding a nonet group and  remove the password.

Then you’ll need to add a iptables rule to reject all packets using that group id. If you’re running a Debian/Ubuntu distribution this can be acomplished via a script place in /etc/network/if-pre-up.d/nonet.

Wrapper script

The next step is my wrapper script.  For added safety, the script checks for a few conditions before running switch group.

Download: nonet

Download and install the above script in your path, $HOME/bin for example.  Make sure you chmod +x nonet first.  You’re then ready to run commands.

All child threads from the main parent will inherit the nonet group and therefore have no internet access.  This method can be expanded for additional permissions by using more groups.  For example a lanonly group might be allow access to LAN and Localhost but reject any internet based traffic.

Leave a Reply

Your email address will not be published. Required fields are marked *