Friday, August 7, 2020

Block particular application from accessing internet Ubuntu 20.04

Create group no-internet. Members of this group will work in offline mode.
$ sudo addgroup no-internet

Allow members of no-internet group to use sudo without password.
$ sudo visudo

Add this line at then end and save changes:
%sudo     ALL=(:no-internet)      NOPASSWD: ALL

Allow everyone to change iptables rules:
$ which iptables
/usr/sbin/iptables
$ readlink -f /usr/sbin/iptables
/usr/sbin/xtables-legacy-multi
$ ls -l /usr/sbin/xtables-legacy-multi
-rwxr-xr-x 1 root root 99296 Feb 28 15:16 /usr/sbin/xtables-legacy-multi
$ sudo chmod u+s /usr/sbin/xtables-legacy-multi
$ ls -l /usr/sbin/xtables-legacy-multi
-rwsr-xr-x 1 root root 99296 Feb 28 15:16 /usr/sbin/xtables-legacy-multi

Add iptables rules for no-internet group
$ iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
$ ip6tables -A OUTPUT -m owner --gid-owner no-internet -j DROP

Create store directory for iptables rules and change ownership to current user and it's group:
$ sudo mkdir /etc/iptables
$ sudo chown -Rv 1000:1000 /etc/iptables

Save iptables entries to created directory:
$ iptables-save > /etc/iptables/rules.v4
$ ip6tables-save  > /etc/iptables/rules.v6

Install application you want to block, for example:
$ sudo snap install phpstorm

Copy application desktop launcher to local desktop launchers so we can override it:
$ cp /var/lib/snapd/desktop/applications/phpstorm_phpstorm.desktop ~/.local/share/applications/

Edit local desktop launcher and set Exec line to: sh -c "iptables-restore < /etc/iptables/rules.v4; ip6tables-restore < /etc/iptables/rules.v6; sudo -g no-internet existing-exec-command". For example:
$ vi ~/.local/share/applications/phpstorm_phpstorm.desktop

Exec=sh -c "iptables-restore < /etc/iptables/rules.v4; ip6tables-restore < /etc/iptables/rules.v6; sudo -g no-internet env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/phpstorm_phpstorm.desktop /snap/bin/phpstorm %f"