Create group no-internet. Members of this group will work in offline mode.
$ sudo addgroup no-internet
Allow members of no-internet group to use sudo without password.
$ sudo visudo
Add this line at then end and save changes:
%sudo ALL=(:no-internet) NOPASSWD: ALL
Allow everyone to change iptables rules:
$ which iptables
/usr/sbin/iptables
$ readlink -f /usr/sbin/iptables
/usr/sbin/xtables-legacy-multi
$ ls -l /usr/sbin/xtables-legacy-multi
-rwxr-xr-x 1 root root 99296 Feb 28 15:16 /usr/sbin/xtables-legacy-multi
$ sudo chmod u+s /usr/sbin/xtables-legacy-multi
$ ls -l /usr/sbin/xtables-legacy-multi
-rwsr-xr-x 1 root root 99296 Feb 28 15:16 /usr/sbin/xtables-legacy-multi
Add iptables rules for no-internet group
$ iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
$ ip6tables -A OUTPUT -m owner --gid-owner no-internet -j DROP
Create store directory for iptables rules and change ownership to current user and it's group:
$ sudo mkdir /etc/iptables
$ sudo chown -Rv 1000:1000 /etc/iptables
Save iptables entries to created directory:
$ iptables-save > /etc/iptables/rules.v4
$ ip6tables-save > /etc/iptables/rules.v6
Install application you want to block, for example:
$ sudo snap install phpstorm
Copy application desktop launcher to local desktop launchers so we can override it:
$ cp /var/lib/snapd/desktop/applications/phpstorm_phpstorm.desktop ~/.local/share/applications/
Edit local desktop launcher and set Exec line to: sh -c "iptables-restore < /etc/iptables/rules.v4; ip6tables-restore < /etc/iptables/rules.v6; sudo -g no-internet existing-exec-command". For example:
$ vi ~/.local/share/applications/phpstorm_phpstorm.desktop
Exec=sh -c "iptables-restore < /etc/iptables/rules.v4; ip6tables-restore < /etc/iptables/rules.v6; sudo -g no-internet env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/phpstorm_phpstorm.desktop /snap/bin/phpstorm %f"
