7

I know the PID of a specific process and I want to disable the Internet access for this process and only for this process, so other process can access Internet.

Is there any way to do it?

I googled some stuff and found a way to disable Internet for executable programs. But I need, for example, to have two running chrome, one having access to Internet and other not.

ShockwaveNN
  • 371
  • Why don't you put the procedure that you're doing or at lest link the page where it is described? – Lucio Jan 31 '13 at 14:46
  • trickle -d 0 -u 0 chrome http://manpages.ubuntu.com/manpages/bionic/man8/trickled.8.html – kenn May 30 '19 at 13:36

3 Answers3

8

You can try the following:

  • unshare. Seems to work fine for terminal programs. I'm unable to get it to work with X11.

      unshare -r -n ping google.com

  • bubblewrap. This is the sandboxing tool used by Flatpak. I find it complicated to use directly.

    • Bubblejail. This is a front end to bubblewrap. As far as I can tell, it is not currently available in Debian/Ubuntu repositories or PPAs, so you would have to build it yourself. Once installed, I find it much easier to setup and use than Firejail.

  • Firejail. You might have to fiddle with the config to get it to work.

      firejail --noprofile --net=none firefox
xiota
  • 5,058
5

I've just had the same question and found a really nice solution on ubuntuforums.org

Summary

  • add a group "no-internet" and add your user to it

    sudo addgroup no-internet
sudo adduser $USER no-internet

  • add a iptables rule to prevent that group from accessing the network:

    iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP

  • run the process you don't want to have internet access like with sg (execute command as different group ID):

    sg no-internet "process command line"
Pablo Bianchi
  • 17,552
kaefert
  • 151
  • Should we run sg no-internet with sudo? – alper Nov 07 '21 at 22:09
  • Good solution but now that process doesn't have access to your files. in most cases it these two come together. Having a firewall that can log, block/allow by process, IP and port is a necessity these days specially when most apps "send log for improvement purposes" and "check update" while in fact these purposes are the only thing those data is not used for. – AaA Jan 28 '22 at 02:16
  • There is a similar answer here, which also shows how to enable access to e.g. localhost and nothing else: https://serverfault.com/a/550278/483223 – Zach Bloomquist Apr 04 '22 at 19:00
2

I would recommend using firewall rules to lock that program out. If you can isolate the port numbers that the program is using you can block traffic on those ports. You can also set up "per process" firewall rules with SELinux or other security software.

https://help.ubuntu.com/community/Gufw

If you're looking for something a little more direct or challenging you can configure IPTables as documented here.

Pablo Bianchi
  • 17,552
user89599
  • 365
  • I think that if you block a port, you are blocking a specific service. So if you block the port/s that chrome is using to forbid the Internet access, then any browser will have these rules. – Lucio Jan 31 '13 at 15:37
  • You are correct. Generally speaking, "per-process" firewalls are frowned upon in the Linux community. This is because if a program with execute permission wants to do something naughty on your network it can just proxy itself through another app that is allowed. Real best practice would dictate you don't have any software that needs blocking. – user89599 Jan 31 '13 at 15:53
  • Well, This solution doesn't work in real world, the application that I'm trying to block is using port 80 and 443, which means I cannot block the port since I need it for my browser. also from comment assumption that you will not have a software that need blocking is naive, for the sake of argument, lets say application X is the only application that can do the job and you don't have alternative, and it is connecting to internet and sending your memory usage, list of documents etc, you can't just delete it and say I don't have it anymore. – AaA Jan 28 '22 at 02:12