How to control internet access for each program?

NOTE: Douane is no longer actively developed and is reported to not work in later Ubuntu versions. This solution may not work, but the answer is kept as is for historical reasons.

In case you're still looking for this kind of application, I am currently developing exactly that application: http://douaneapp.com/ https://gitlab.com/douaneapp/Douane

My application blocks any unknown applications (new versions of an authorized application are blocked) and asks you if you Allow or Deny its traffic.

Have a look at the website ;-)

I found a convenient solution that solves the problem. You create a group that is never allowed to use the internet and start the program as a member of this group.

1. Create a group no-internet. Do not join this group

   sudo addgroup no-internet
   

2. Add a rule to iptables that prevents all processes belonging to the group no-internet from using the network (use ip6tables to also prevent IPv6 traffic)

   sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
   

3. Execute sudo -g no-internet YOURCOMMAND instead of YOURCOMMAND.

You can easily write a wrapper script that uses sudo for you. You can get rid of the password prompt by adding

%sudo     ALL=(:no-internet)      NOPASSWD: ALL

or, something similar with sudo visudo

Use the iptables-save and iptables-restore to persist firewall rules.

Another option is firejail. It runs the application inside sandbox where you control if the application could see the network:

firejail --net=none firefox

This command will start Firefox browser without internet access. Note that the firejail distribution in the Ubuntu repo is outdated - better download its latest LTS version from the firejail home page.