Once upon a time programs would ask your permission before using your resources. The idea that a program would phone-home and connect to a remote system host would be appalling. Today this practice is common place. Applications do anything from just checking for latest versions to submitting tracking and usage metrics. Wouldn’t it be great to have the ability to run an application or command without network access?
Thankfully, there is an easy way to do just this with Linux groups and iptables. I’ve written small wrapper script that enables you to easily run a command or application without network access.
Some setup required
To make the magic work, a few things must be setup first. Start by adding a nonet group and remove the password.
gpasswd -r nonet
Then you’ll need to add a iptables rule to reject all packets using that group id. If you’re running a Debian/Ubuntu distribution this can be acomplished via a script place in /etc/network/if-pre-up.d/nonet.
/sbin/iptables -I OUTPUT -m owner --gid-owner nonet -j REJECT \
The next step is my wrapper script. For added safety, the script checks for a few conditions before running switch group.
# nonet - runs command without network access
# Copyright 2012 Solorvox on //epic.geek.nz/
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <//www.gnu.org/licenses/>.
# Ensure we have a nonet group first
sg $GROUP "pwd > /dev/null"
if [ $RCODE -ne 0 ]; then
echo "ERROR: Group [$GROUP] not found!"
echo "Add via groupadd $GROUP; gpasswd -r $GROUP"
# test networking to ensure firewall is working before running command
# you could put an external host such as.google.com, but this will be faster
sg $GROUP "ping -c 1 127.0.0.1 > /dev/null 2>&1"
if [ $RCODE -eq 0 ]; then
echo "ERROR: Network access detected!"
echo "Add a script to /etc/network/if-pre-up.d/$GROUP"
echo "/sbin/iptables -I OUTPUT -m owner --gid-owner $GROUP -j REJECT --reject-with icmp-net-unreachable "
for arg; do
sg $GROUP "$COMMAND"
Download and install the above script in your path, $HOME/bin for example. Make sure you chmod +x nonet first. You’re then ready to run commands.
nonet ping www.google.com
nonet wine somefile.exe
All child threads from the main parent will inherit the nonet group and therefore have no internet access. This method can be expanded for additional permissions by using more groups. For example a lanonly group might be allow access to LAN and Localhost but reject any internet based traffic.