# nonet - runs command with limited/no network access
# Copyright 2012 Solorvox <email@example.com>
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# IP address to test that group CANNOT access. If ping to this
# address is successful, then something is wrong with setup.
# Good example could be your router's external IP
# Ensure we have a group first
sg $GROUP "pwd > /dev/null"
if [ $RCODE -ne 0 ]; then
echo "ERROR: Group [$GROUP] was not found!"
echo "Add via groupadd $GROUP; gpasswd -r $GROUP;"
# test networking to ensure firewall is working before running command
# you could put an external host such as google.com, but this will be faster
sg $GROUP "ping -c 1 $TESTIP > /dev/null 2>&1"
if [ $RCODE -eq 0 ]; then
echo "ERROR: Network access to [$TESTIP] detected!"
echo "Ensure you have setup program. Add a script to /etc/network/if-pre-up.d/$GROUP"
echo "/sbin/iptables -I OUTPUT -m owner --gid-owner $GROUP -d \\! <allowed_subnet>/24 -j REJECT --reject-with icmp-net-unreachable "
for arg; do
sg $GROUP "$COMMAND"