Linux – How to Block Network Access of a Process

iptableslinuxnetworkingprocess

Is it possible to block the (outgoing) network access of a single process?

Best Answer

With Linux 2.6.24+ (considered experimental until 2.6.29), you can use network namespaces for that. You need to have the 'network namespaces' enabled in your kernel (CONFIG_NET_NS=y) and util-linux with the unshare tool.

Then, starting a process without network access is as simple as:

unshare -n program ...

This creates an empty network namespace for the process. That is, it is run with no network interfaces, including no loopback. In below example we add -r to run the program only after the current effective user and group IDs have been mapped to the superuser ones (avoid sudo):

$ unshare -r -n ping 127.0.0.1
connect: Network is unreachable

If your app needs a network interface you can set a new one up:

$ unshare -n -- sh -c 'ip link set dev lo up; ping 127.0.0.1'
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=32 time=0.066 ms

Note that this will create a new, local loopback. That is, the spawned process won't be able to access open ports of the host's 127.0.0.1.

If you need to gain access to the original networking inside the namespace, you can use nsenter to enter the other namespace.

The following example runs ping with network namespace that is used by PID 1 (it is specified through -t 1):

$ nsenter -n -t 1 -- ping -c4 example.com
PING example.com (93.184.216.119) 56(84) bytes of data.
64 bytes from 93.184.216.119: icmp_seq=1 ttl=50 time=134 ms
64 bytes from 93.184.216.119: icmp_seq=2 ttl=50 time=134 ms
64 bytes from 93.184.216.119: icmp_seq=3 ttl=50 time=134 ms
64 bytes from 93.184.216.119: icmp_seq=4 ttl=50 time=139 ms

--- example.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 134.621/136.028/139.848/2.252 ms

Filtering with IPTABLES

This can be accomplished by creating a set of rules for allowed traffic and dropping the rest.

For the OUTPUT chain, create rules to accept loopback traffic and traffic to 192.168.1.0/24 network. Default action is applied when no rules are matched, set it to REJECT.

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -P OUTPUT REJECT

For INPUT chain, you can create similar rules. Allow traffic from loopback and local network, drop the rest.

You can match established traffic (reply traffic to connections initiated by your host) with a single rule using -m conntrack --ctstate ESTABLISHED. This way you do not need to alter the chain when you want to enable Internet access. This works when you do not run any programs/daemons expecting connections from outside of your local network.

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -P INPUT DROP

If you need to allow connections initiated outside of your local network, you need to configure the INPUT chain in the same way as the OUTPUT chain and use similar mechanism to apply

To allow unrestricted (WAN access) network access, change the default action to ACCEPT. To put the limits back, change the default action back to REJECT. Same effect is achieved by adding/removing -j ACCEPT as last rule.

iptables -P OUTPUT ACCEPT

You can also use iptables time module to accept the traffic at specific time of a day, in which case you do not need to use cron. For example, to allow any outgoing traffic between 12:00 and 13:00 with following rule:

iptables -A OUTPUT -m time --timestart 12:00 --timestop 13:00 -j ACCEPT

Best Answer

Related Solutions

Block Internet access, but not network access for a user

Networking – Block WAN Access, Allow LAN Access on Linux Hosts

Filtering with IPTABLES

Related Question