# No-Internet Group

## Description
Simple methodology to prevent specified Linux desktop programs having access to the public Internet via iptables

## Getting Started

### Dependencies
*iptables

*systemd or cron

*sg

### Creating the Group
First we will create the controlled access group through which programs will be denied public network access 
```
groupadd no-internet
```
And add your user to it
```
usermod -a -G no-internet youruser
```
You should now see no-internet as a group your user is a member of
```
groups youruser
````
Your user will need to be a member of the group as sg demands it

### Creating the Systemd Service
Next we will create a systemd service which uses iptables to drop outbound connections made by the "no-internet" group
```
touch /etc/systemd/system/no-internet.service
nano /etc/systemd/system/no-internet.service
```
Enter the following within the service file then write and quit
```
[Unit]
Description=blocks network access for the group "no-internet"

[Service]
ExecStart=iptables -I OUTPUT -m owner --gid-owner "no-internet" -j DROP

[Install]
WantedBy=multi-user.target
```

Breakdown of iptables command:

*iptables is an administration tool for IPv4/IPv6 packet filtering

*the -I OUTPUT flag specifies the rule is responsible for packets leaving the host

*the -m owner flag allows packet filtering based upon the owner of the process

*the --gid-owner "no-internet" flag specifies for the rule to match processes created by the group 'no-internet'

*the -j DROP flag specifies the action to take, in this case dropping the packetnn

Next we will reload our services, then enable no-internet so it persistently starts at boot
```
systemctl daemon-reload
systemctl enable no-internet.service
systemctl start no-internet.service
```

Note: a similar effect could be achived via crontab by making an entry along the lines of
```
@reboot  root  iptables -I OUTPUT 1 -m owner --gid-owner "no-internet" -j DROP
```
### Modifying .desktop entries

### Limitations
As iptables operates at layer 3 programs ran through this sandboxed group will still be able to reach devices within the same broadcast domain