Benjamin_Loison/linux
1
0
Code Issues 91 Packages Projects Wiki

How to forbid network access to a program? #99

New Issue
Open
opened 2026-05-08 13:33:36 +02:00 by Benjamin_Loison · 16 comments
Benjamin_Loison commented 2026-05-08 13:33:36 +02:00
Owner
Copy Link
Copy Source

I have verified that I have not such an issue in my Debian, Cinnamon and Ubuntu forks.

I have verified that I have not such an issue in my Debian, Cinnamon and Ubuntu forks.
Benjamin_Loison commented 2026-05-08 13:37:30 +02:00
Author
Owner
Copy Link
Copy Source

Would help Benjamin_Loison/opencode/issues/1.

DuckDuckGo search Linux forbid network access to a program.

Would help [Benjamin_Loison/opencode/issues/1](https://codeberg.org/Benjamin_Loison/opencode/issues/1). DuckDuckGo search *Linux forbid network access to a program*.
Benjamin_Loison commented 2026-05-08 15:54:29 +02:00
Author
Owner
Copy Link
Copy Source

The Ask Ubuntu answer 423105:

On my Linux Mint 22.3 Cinnamon Framework 13 Virtual Machine Manager Linux Mint (trust) virtual machine:

sudo addgroup no-internet
Output: 
info: Selecting GID from range 1000 to 59999 ...
info: Adding group `no-internet' (GID 1001) ...
[The Ask Ubuntu answer 423105](https://askubuntu.com/a/423105): On my Linux Mint 22.3 Cinnamon Framework 13 Virtual Machine Manager *Linux Mint (trust)* virtual machine: ```bash sudo addgroup no-internet ``` <details> <summary>Output:</summary> ``` info: Selecting GID from range 1000 to 59999 ... info: Adding group `no-internet' (GID 1001) ... ``` </details>
Benjamin_Loison commented 2026-05-08 15:55:58 +02:00
Author
Owner
Copy Link
Copy Source

Wikipedia: Firejail (1341131071)

Network Isolation: It can restrict network access for sandboxed applications, enhancing security against network-based attacks.

netblue30/firejail has 7.4k stars and last commit was 2 hours ago.

[Wikipedia: Firejail (1341131071)](https://en.wikipedia.org/w/index.php?title=Firejail&oldid=1341131071) > Network Isolation: It can restrict network access for sandboxed applications, enhancing security against network-based attacks. [netblue30/firejail](https://github.com/netblue30/firejail) has 7.4k stars and last commit was 2 hours ago.
Benjamin_Loison commented 2026-05-08 15:56:31 +02:00
Author
Owner
Copy Link
Copy Source
sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
sudo iptables6 -A OUTPUT -m owner --gid-owner no-internet -j DROP

sudo: iptables6: command not found
```bash sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP sudo iptables6 -A OUTPUT -m owner --gid-owner no-internet -j DROP ``` ``` sudo: iptables6: command not found ```
Benjamin_Loison commented 2026-05-08 15:58:29 +02:00
Author
Owner
Copy Link
Copy Source

DuckDuckGo and Google search "ip6tables" "apt".

ping6 2600::

ping6: connect: Network is unreachable

So IPv6 seems not present.

DuckDuckGo and Google search `"ip6tables" "apt"`. ```bash ping6 2600:: ``` ``` ping6: connect: Network is unreachable ``` So IPv6 seems not present.
Benjamin_Loison commented 2026-05-08 16:00:16 +02:00
Author
Owner
Copy Link
Copy Source
sudo -g no-internet 'curl https://example.com'

sudo: curl https://example.com: command not found

time sudo -g no-internet curl https://example.com
Output: 
curl: (6) Could not resolve host: example.com

real	0m0,027s
user	0m0,005s
sys	0m0,014s

time sudo -g no-internet ping -c 1 8.8.8.8
Output: 
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


real	0m10,013s
user	0m0,005s
sys	0m0,005s

time ping -c 1 8.8.8.8
Output: 
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=8.15 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 8.147/8.147/8.147/0.000 ms

real	0m0,012s
user	0m0,001s
sys	0m0,002s
```bash sudo -g no-internet 'curl https://example.com' ``` ``` sudo: curl https://example.com: command not found ``` ```bash time sudo -g no-internet curl https://example.com ``` <details> <summary>Output:</summary> ``` curl: (6) Could not resolve host: example.com real 0m0,027s user 0m0,005s sys 0m0,014s ``` </details> ```bash time sudo -g no-internet ping -c 1 8.8.8.8 ``` <details> <summary>Output:</summary> ``` PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. --- 8.8.8.8 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms real 0m10,013s user 0m0,005s sys 0m0,005s ``` </details> ```bash time ping -c 1 8.8.8.8 ``` <details> <summary>Output:</summary> ``` PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=8.15 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 8.147/8.147/8.147/0.000 ms real 0m0,012s user 0m0,001s sys 0m0,002s ``` </details>
Benjamin_Loison commented 2026-05-08 16:03:55 +02:00
Author
Owner
Copy Link
Copy Source
sudo -g no-internet whoami

benjamin_loison

sudo -g no-internet groups

no-internet adm cdrom sudo dip www-data plugdev lpadmin sambashare docker vboxsf benjamin_loison
```bash sudo -g no-internet whoami ``` ``` benjamin_loison ``` ```bash sudo -g no-internet groups ``` ``` no-internet adm cdrom sudo dip www-data plugdev lpadmin sambashare docker vboxsf benjamin_loison ```
Benjamin_Loison commented 2026-05-08 16:05:29 +02:00
Author
Owner
Copy Link
Copy Source
sudo --help | grep -e -g
Output: 
usage: sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user]
            [-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
            [-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
  -g, --group=group             run command as the specified group name or ID
  -P, --preserve-groups         preserve group vector instead of setting to
```bash sudo --help | grep -e -g ``` <details> <summary>Output:</summary> ``` usage: sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] -g, --group=group run command as the specified group name or ID -P, --preserve-groups preserve group vector instead of setting to ``` </details>
Benjamin_Loison commented 2026-05-08 16:11:13 +02:00
Author
Owner
Copy Link
Copy Source

#38:

time sudo -g no-internet telnet localhost 33927
Output: 
Trying 127.0.0.1...
^C

real	2m7,733s
user	0m0,008s
sys	0m0,015s

I would like to still have a port open to leverage remote Ollama.

#38: ```bash time sudo -g no-internet telnet localhost 33927 ``` <details> <summary>Output:</summary> ``` Trying 127.0.0.1... ^C real 2m7,733s user 0m0,008s sys 0m0,015s ``` </details> I would like to still have a port open to leverage remote Ollama.
Benjamin_Loison commented 2026-05-08 16:12:51 +02:00
Author
Owner
Copy Link
Copy Source

While we can reach Docker guest port by forwarding it, the other way around is maybe harder.

While we can reach Docker guest port by forwarding it, the other way around is maybe harder.
Benjamin_Loison commented 2026-05-08 16:14:37 +02:00
Author
Owner
Copy Link
Copy Source

https://chat.mistral.ai/chat/80521fec-ed50-4d42-b38f-25cc7979b8a7

sudo iptables -L OUTPUT -v -n
Output: 
Chain OUTPUT (policy ACCEPT 25 packets, 1847 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   19  1152 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0            owner GID match 1001

DuckDuckGo search Linux get group id.

getent group no-internet

no-internet:x:1001:

getent group $USER

benjamin_loison:x:1000:
https://chat.mistral.ai/chat/80521fec-ed50-4d42-b38f-25cc7979b8a7 ```bash sudo iptables -L OUTPUT -v -n ``` <details> <summary>Output:</summary> ``` Chain OUTPUT (policy ACCEPT 25 packets, 1847 bytes) pkts bytes target prot opt in out source destination 19 1152 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1001 ``` </details> DuckDuckGo search *Linux get group id*. ```bash getent group no-internet ``` ``` no-internet:x:1001: ``` ```bash getent group $USER ``` ``` benjamin_loison:x:1000: ```
Benjamin_Loison commented 2026-05-08 16:16:08 +02:00
Author
Owner
Copy Link
Copy Source
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 8080 -m owner --gid-owner no-internet -j ACCEPT

does not return anything and does not help, despite paying attention to now use 8080 for both server and client.

```bash sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 8080 -m owner --gid-owner no-internet -j ACCEPT ``` does not return anything and does not help, despite paying attention to now use 8080 for both server and client.
Benjamin_Loison commented 2026-05-08 16:16:26 +02:00
Author
Owner
Copy Link
Copy Source
sudo iptables -L OUTPUT -v -n
Output: 
Chain OUTPUT (policy ACCEPT 32 packets, 2361 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   33  1992 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0            owner GID match 1001
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:8080 owner GID match 1001
```bash sudo iptables -L OUTPUT -v -n ``` <details> <summary>Output:</summary> ``` Chain OUTPUT (policy ACCEPT 32 packets, 2361 bytes) pkts bytes target prot opt in out source destination 33 1992 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1001 0 0 ACCEPT 6 -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:8080 owner GID match 1001 ``` </details>
Benjamin_Loison commented 2026-05-08 16:18:11 +02:00
Author
Owner
Copy Link
Copy Source
sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
sudo iptables -L OUTPUT -v -n
Output: 
Chain OUTPUT (policy ACCEPT 32 packets, 2361 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   33  1992 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0            owner GID match 1001
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:8080 owner GID match 1001
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0            owner GID match 1001

DuckDuckGo search iptables delete given rule.

https://www.baeldung.com/linux/iptables-delete-rules

sudo iptables -L OUTPUT -v -n --line-numbers
Output: 
Chain OUTPUT (policy ACCEPT 32 packets, 2361 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       33  1992 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0            owner GID match 1001
2        0     0 ACCEPT     6    --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:8080 owner GID match 1001
3        0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0            owner GID match 1001
```bash sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP sudo iptables -L OUTPUT -v -n ``` <details> <summary>Output:</summary> ``` Chain OUTPUT (policy ACCEPT 32 packets, 2361 bytes) pkts bytes target prot opt in out source destination 33 1992 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1001 0 0 ACCEPT 6 -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:8080 owner GID match 1001 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1001 ``` </details> DuckDuckGo search *iptables delete given rule*. https://www.baeldung.com/linux/iptables-delete-rules ```bash sudo iptables -L OUTPUT -v -n --line-numbers ``` <details> <summary>Output:</summary> ``` Chain OUTPUT (policy ACCEPT 32 packets, 2361 bytes) num pkts bytes target prot opt in out source destination 1 33 1992 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1001 2 0 0 ACCEPT 6 -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:8080 owner GID match 1001 3 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1001 ``` </details>
Benjamin_Loison commented 2026-05-08 16:22:29 +02:00
Author
Owner
Copy Link
Copy Source
sudo iptables -L OUTPUT -v -n --delete 1
Output: 
iptables v1.8.10 (nf_tables): Cannot use -D with -L
Try `iptables -h' or 'iptables --help' for more information.

sudo iptables --delete 1

iptables: Bad rule (does a matching rule exist in that chain?).

sudo iptables -t filter -L OUTPUT -v -n --delete 1
Output: 
iptables v1.8.10 (nf_tables): Cannot use -D with -L
Try `iptables -h' or 'iptables --help' for more information.

sudo iptables --delete chain 1

iptables: No chain/target/match by that name.

Google search iptables delete given rule.

sudo iptables --delete OUTPUT 1
sudo iptables -L OUTPUT -v -n
Output: 
Chain OUTPUT (policy ACCEPT 34 packets, 2517 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:8080 owner GID match 1001
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0            owner GID match 1001
```bash sudo iptables -L OUTPUT -v -n --delete 1 ``` <details> <summary>Output:</summary> ``` iptables v1.8.10 (nf_tables): Cannot use -D with -L Try `iptables -h' or 'iptables --help' for more information. ``` </details> ```bash sudo iptables --delete 1 ``` ``` iptables: Bad rule (does a matching rule exist in that chain?). ``` ```bash sudo iptables -t filter -L OUTPUT -v -n --delete 1 ``` <details> <summary>Output:</summary> ``` iptables v1.8.10 (nf_tables): Cannot use -D with -L Try `iptables -h' or 'iptables --help' for more information. ``` </details> ```bash sudo iptables --delete chain 1 ``` ``` iptables: No chain/target/match by that name. ``` Google search *iptables delete given rule*. ```bash sudo iptables --delete OUTPUT 1 sudo iptables -L OUTPUT -v -n ``` <details> <summary>Output:</summary> ``` Chain OUTPUT (policy ACCEPT 34 packets, 2517 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT 6 -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:8080 owner GID match 1001 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1001 ``` </details>
Benjamin_Loison commented 2026-05-08 16:23:52 +02:00
Author
Owner
Copy Link
Copy Source
time sudo -g no-internet telnet localhost 8080
Output: 
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
test

netcat -l -p 8080

test

time sudo -g no-internet ping -c 1 8.8.8.8
Output: 
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


real	0m10,014s
user	0m0,005s
sys	0m0,005s
```bash time sudo -g no-internet telnet localhost 8080 ``` <details> <summary>Output:</summary> ``` Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. test ``` </details> ```bash netcat -l -p 8080 ``` ``` test ``` ```bash time sudo -g no-internet ping -c 1 8.8.8.8 ``` <details> <summary>Output:</summary> ``` PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. --- 8.8.8.8 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms real 0m10,014s user 0m0,005s sys 0m0,005s ``` </details>
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Benjamin_Loison (Benjamin Loison)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Benjamin_Loison/linux#99
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?