Bad program – no network


Once upon a time programs would ask your permission before using your resources.  The idea that a program would phone-home and connect to a remote system host would be appalling.  Today this practice is common place.  Applications do anything from just checking for latest versions to submitting tracking and usage metrics.  Wouldn’t it be great to have the ability to run an application or command without network access?

Thankfully, there is an easy way to do just this with Linux groups and iptables.  I’ve written small wrapper script that enables you to easily run a command or application without network access.

Some setup required

To make the magic work, a few things must be setup first.  Start by adding a nonet group and  remove the password.

Then you’ll need to add a iptables rule to reject all packets using that group id. If you’re running a Debian/Ubuntu distribution this can be accomplished via a script place in /etc/network/if-pre-up.d/nonet.

Wrapper script

The next step is my wrapper script.  For added safety, the script checks for a few conditions before running switch group.

Download: nonet

Download and install the above script in your path, $HOME/bin for example.  Make sure you chmod +x nonet first.  You’re then ready to run commands.

All child threads from the main parent will inherit the nonet group and therefore have no internet access.  This method can be expanded for additional permissions by using more groups.


LAN/Localhost only

This is an example of using the above method to allow localhost + local area network access only.  Use where you want an application to have access to say a local server, but not talk to the outside world.  Script is for /etc/network/if-pre-up.d/lanonly.


Leave a Reply

Your email address will not be published. Required fields are marked *