[ How to block Internet access for programs on Linux ]

=== May 6, 2023 ===

There are times when we may need to block a specific program from accessing the Internet. I’m not saying while analysing some malicious executable, for that you should use a virtual environment (for starters). What if you want to block a text editor like Visual Studio Code? It is SCARY to look at the Wireshark/tcpdump output while executing it! Before even loading my file, it already made several DNS requests and established 4 TCP connections; and that’s with disabled analytics/metrics reports.

And yes, Codium is also chatty!

Steps to block Internet access

1. Create a new local group that we’ll use as a Internet contained group

   sudo addgroup no-internet
   

2. Get the ID of the newly created group and store it in GID variable

   GID=$(getent group no-internet | cut -d ':' -f3)
   

3. Add a nftables rule to DROP outgoing traffic from the new group

   nft add rule ip filter OUTPUT skgid $GID counter drop
   

4. Execute commands/programs from inside the new group

   sudo -g no-internet ping 8.8.8.8 # No Internet access for ping
   sudo -g no-internet code # No Internet access for VS Code
   

That’s it! Expect some errors from VS Code/VS Codium about not being able to connect to the extensions repositories, at this stage you probably have all the necessary extensions installed.

Liked it? Share it:

[ twitter ] [ reddit ] [ linkedin ] [ facebook ] [ email ]