Is there a way of blocking individual programs from accessing the network?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there a way of blocking individual programs from accessing the network?
There's some programs I want to block from accessing the network. I could disconnect from the network, but that'd mean I wouldn't be able to use any other programs that use the LAN/internet.
Is there a way, without installing firewalls, of stopping programs from using the network, without having to block specific ports? Any method, like some way of forcing the program to use /dev/zero as the network interface?
well you need to appreciate what a firewall really is i guess... and you'd absolutely want to use netfilter to do this, which is totally possible, and technically does constitute a firewall in it's lowest level incarnation...
iptables -A OUTPUT -m owner --cmd-owner "ssh" -j REJECT
just says to refuse any packet from ssh to leave the machine.
well you need to appreciate what a firewall really is i guess... and you'd absolutely want to use netfilter to do this, which is totally possible, and technically does constitute a firewall in it's lowest level incarnation...
iptables -A OUTPUT -m owner --cmd-owner "ssh" -j REJECT
just says to refuse any packet from ssh to leave the machine.
I'm kinda' confused by the iptables command; do I have to replace anything other than "ssh"? like 'OUTPUT' or 'owner'? I tried various combinations and they all gave me an 'invalid argument' error. And --cmd-owner isn't a flag, according to iptables -h
* Detects unauthorized applications trying to act like a client or a server;
* Operates with or without user intervention;
* Verifies the applications' integrity so that maliciously modified software won't be able to send or receive data through the network;
* Uses a three-layered architecture of independent modules, which eases the task of addings new features and functionality;
TuxGuardain looks to be exactly what I want, but to use it you've got to enable some extra kernel stuff (allow security modules etc), which involves make menuconfig, which is broken on my Ubuntu build. I haven't messed with the kernel or compilers, but make menuconfig errors out with messages such as these:
scripts/kconfig/lxdialog/checklist.c:310: warning: implicit declaration of function ‘on_key_esc’
scripts/kconfig/lxdialog/checklist.c:312: error: ‘KEY_RESIZE’ undeclared (first use in this function)
make[1]: *** [scripts/kconfig/lxdialog/checklist.o] Error 1
make: *** [menuconfig] Error 2
Am I missing some dependencies? I'm running the latest kernel; 2.6.20-16 - I think I have to enable some stuff in the kernel, at least that's what the documentation says and I'm not sure if it's a lready compiled into the Ubuntu kernels. I think I have to, 'cause only the daemon for TuxGuardian seems to compile succesfully, and that's useless without the TuxGuardian module.
well i would *expect* that tuxguardian would use the owner module, hence the kernel rebuild, hence the original reason my suggestion didn't work for you...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.