Tobias/No-Internet.Group
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
61e749da561faaa1864bb4f6c1982c8fb6121182
No-Internet.Group/README.md
tobias 61e749da56 Update README.md
2026-03-08 21:09:57 +00:00

74 lines
2.1 KiB
Markdown
Raw Blame History

# No-Internet Group
## Description
Simple methodology to prevent specified Linux desktop programs having access to the public Internet via iptables
## Getting Started
### Dependencies
*iptables
*systemd or cron
*sg
### Creating the Group
First we will create the controlled access group through which programs will be denied public network access
```
groupadd no-internet
```
And add your user to it
```
usermod -a -G no-internet youruser
```
You should now see no-internet as a group your user is a member of
```
groups youruser
````
Your user will need to be a member of the group as sg demands it
### Creating the Systemd Service
Next we will create a systemd service which uses iptables to drop outbound connections made by the "no-internet" group
```
touch /etc/systemd/system/no-internet.service
nano /etc/systemd/system/no-internet.service
```
Enter the following within the service file then write and quit
```
[Unit]
Description=blocks network access for the group "no-internet"
[Service]
ExecStart=iptables -I OUTPUT -m owner --gid-owner "no-internet" -j DROP
[Install]
WantedBy=multi-user.target
```
Breakdown of iptables command:
*iptables is an administration tool for IPv4/IPv6 packet filtering
*the -I OUTPUT flag specifies the rule is responsible for packets leaving the host
*the -m owner flag allows packet filtering based upon the owner of the process
*the --gid-owner "no-internet" flag specifies for the rule to match processes created by the group 'no-internet'
*the -j DROP flag specifies the action to take, in this case dropping the packetnn
Next we will reload our services, then enable no-internet so it persistently starts at boot
```
systemctl daemon-reload
systemctl enable no-internet.service
systemctl start no-internet.service
```
Note: a similar effect could be achived via crontab by making an entry along the lines of
```
@reboot root iptables -I OUTPUT 1 -m owner --gid-owner "no-internet" -j DROP
```
### Modifying .desktop entries
### Limitations
As iptables operates at layer 3 programs ran through this sandboxed group will still be able to reach devices within the same broadcast domain
Reference in New Issue View Git Blame Copy Permalink