Ubuntu – How to block internet access for an application


I'd search for a way to run an application prevent it from accessing internet, possibly without install a specific program to do this. Most of the answers I've found refers to THIS post, so I tried this solution. In short words I had create a no-internet group (with a related ni command) and I launch the application using this group. But that does not work completely, probably because the post is from 2009, and something in iptables is changed (I'm using Ubuntu 14.04). For example if I run ni "ping google.com" the output is ping: sendmsg: Operation not permitted, so the solution works great. But with the other programs, like Firefox or wget (e.g. ni firefox), the internet connection still works. How can I solve?

Best Answer

You can use apparmor to deny network traffic for some application. First you must install apparmor and apparmor-utils ..

sudo apt-get install apparmor*

After that you can generate profile to you application ...

sudo aa-genprof /usr/bin/google-chrome

Next step is to change Networking part in profile to:

sudo nano /etc/apparmor.d/usr.bin.chromium-browser

audit deny network,
audit deny network inet stream,
deny network inet6 stream,
deny @{PROC}/[0-9]*/net/if_inet6 r,
deny @{PROC}/[0-9]*/net/ipv6_route r,
deny capability net_raw,

Next, check config with apparmor_parser and reload config

sudo apparmor_parser -r /etc/apparmor.d/usr.bin.chromium-browser

Change mode from complain to enforce aka turn on apparmor for this app.

sudo aa-complain /etc/apparmor.d/usr.bin.chromium-browser

More manual you can find here and here and here

Related Question