5

I know the PID of a specific process and I want to disable the Internet access for this process and only for this process, so other process can access Internet.

Is there any way to do it?

I googled some stuff and found a way to disable Internet for executable programs. But I need, for example, to have two running chrome, one having access to Internet and other not.

ShockwaveNN
  • 331
  • 2
  • 7
  • 17
  • *two running 'firefox'* - What do you mean? Two `firefox` windows? And have you tried it or not? – Lucio Jan 31 '13 at 13:56
  • Sorry, didn't look into it. I tried it, and as far as I understand - firefox run in single process. But another example is Google Chrome - it's create process for each window – ShockwaveNN Jan 31 '13 at 14:08
  • Can't see how it can help me, I want to disable internet, not to kill a process. I used a command `killall -e chrome` and it closed all windows of chrome – ShockwaveNN Jan 31 '13 at 14:33
  • Why don't you put the procedure that you're doing or at lest link the page where it is described? – Lucio Jan 31 '13 at 14:46
  • `trickle -d 0 -u 0 chrome` http://manpages.ubuntu.com/manpages/bionic/man8/trickled.8.html – kenn May 30 '19 at 13:36

3 Answers3

5

You can try the following:

  • unshare. Seems to work fine for terminal programs. I'm unable to get it to work with X11.

    unshare -r -n ping google.com

  • Firejail. You might have to fiddle with the config to get it to work.

    firejail --noprofile --net=none firefox
xiota
  • 4,709
  • 5
  • 26
  • 53
5

I've just had the same question and found a really nice solution on ubuntuforums.org

Summary

  • add a group "no-internet" and add your user to it

    sudo addgroup no-internet
sudo adduser $USER no-internet

  • add a iptables rule to prevent that group from accessing the network:

    iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP

  • run the process you don't want to have internet access like with sg (execute command as different group ID):

    sg no-internet "process command line"
Pablo Bianchi
  • 14,308
  • 4
  • 74
  • 117
kaefert
  • 151
  • 1
  • 4
  • Should we run `sg no-internet` with `sudo`? – alper Nov 07 '21 at 22:09
  • Good solution but now that process doesn't have access to your files. in most cases it these two come together. Having a firewall that can log, block/allow by process, IP and port is a necessity these days specially when most apps "send log for improvement purposes" and "check update" while in fact these purposes are the only thing those data is not used for. – AaA Jan 28 '22 at 02:16
  • There is a similar answer here, which also shows how to enable access to e.g. `localhost` and nothing else: https://serverfault.com/a/550278/483223 – Zach Bloomquist Apr 04 '22 at 19:00
2

I would recommend using firewall rules to lock that program out. If you can isolate the port numbers that the program is using you can block traffic on those ports. You can also set up "per process" firewall rules with SELinux or other security software.

https://help.ubuntu.com/community/Gufw

If you're looking for something a little more direct or challenging you can configure IPTables as documented here.

Pablo Bianchi
  • 14,308
  • 4
  • 74
  • 117
user89599
  • 365
  • 3
  • 6
  • *I think* that if you block a port, you are blocking a specific service. So if you block the port/s that *chrome* is using to forbid the Internet access, then **any** browser will have these rules. – Lucio Jan 31 '13 at 15:37
  • You are correct. Generally speaking, "per-process" firewalls are frowned upon in the Linux community. This is because if a program with execute permission wants to do something naughty on your network it can just proxy itself through another app that is allowed. Real best practice would dictate you don't have any software that needs blocking. – user89599 Jan 31 '13 at 15:53
  • Well, This solution doesn't work in real world, the application that I'm trying to block is using port 80 and 443, which means I cannot block the port since I need it for my browser. also from comment assumption that you will not have a software that need blocking is naive, for the sake of argument, lets say application X is the only application that can do the job and you don't have alternative, and it is connecting to internet and sending your memory usage, list of documents etc, you can't just delete it and say I don't have it anymore. – AaA Jan 28 '22 at 02:12