Is it possible to block the (outgoing) network access of a single process?
Linux – How to Block Network Access of a Process
iptableslinuxnetworkingprocess
Related Solutions
Use iptables
rule to block outbound traffic for a specific user:
This way you even have full control over ranges of ips that get through (for instance, only allow LAN address block). It's probably useful also to block only specific ports. However... if you allow ssh, a savvy user will set up a tunnel and get out of the firewall. If you allow ssh to local machines, this firewall will have to be set up on all machines the user can access, otherwise, you can just tunnel to the nearest unrestricted machine and access the web from there.
It all depends on what kind of users you have. If the user must be able to use ssh, and you really want to block him out, then you have a problem. If it's meant for non-tech users without ssh knowledge, just block all outbound traffic and close ssh ports.
Filtering with IPTABLES
This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.
For the OUTPUT
chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24
network. Default action is applied when no rules are matched, set it to REJECT
.
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -P OUTPUT REJECT
For INPUT
chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.
You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED
. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
If you need to allow connections initiated outside of your local network, you need to configure the INPUT
chain in the same way as the OUTPUT
chain and use similar mechanism to apply
To allow unrestricted (WAN access) network access, change the default action to ACCEPT
. To put the limits back, change the default action back to REJECT
. Same effect is achieved by adding/removing -j ACCEPT
as last rule.
iptables -P OUTPUT ACCEPT
You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:
iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT
Best Answer
With Linux 2.6.24+ (considered experimental until 2.6.29), you can use network namespaces for that. You need to have the 'network namespaces' enabled in your kernel (
CONFIG_NET_NS=y
) and util-linux with theunshare
tool.Then, starting a process without network access is as simple as:
This creates an empty network namespace for the process. That is, it is run with no network interfaces, including no loopback. In below example we add -r to run the program only after the current effective user and group IDs have been mapped to the superuser ones (avoid sudo):
If your app needs a network interface you can set a new one up:
Note that this will create a new, local loopback. That is, the spawned process won't be able to access open ports of the host's
127.0.0.1
.If you need to gain access to the original networking inside the namespace, you can use
nsenter
to enter the other namespace.The following example runs
ping
with network namespace that is used by PID 1 (it is specified through-t 1
):