Is it possible to simulate "no external access" from a Linux machine when developing?

Deleting the default route should do this. You can show the routing table with /sbin/route, and delete the default with:

sudo /sbin/route del default

That'll leave your system connected to the local net, but with no idea where to send packets destined for beyond. This probably simulates the "no external access" situation very accurately.

You can put it back with route add (remembering what your gateway is supposed to be), or by just restarting networking. I just tried on a system with NetworkManager, and zapping the default worked fine, and I could restore it simply by clicking on the panel icon and re-choosing the local network. It's possible that NM might do this by itself on other events, so beware of that.

Another approach would be to use an iptables rule to block outbound traffic. But I think the routing approach is probably better.


You wrote

So, how do I simulate "no external access" in my development machine?

How do I "deactivate" my ethernet interface and reactivate later with no hassle?

Are these two questions or one question? I'm not sure what you mean by simulate "no external access". However, to deactivate the ethernet interface you could simply do

#ifdown eth0
#ifup eth0

or whatever your internet device is. This will bring your ethernet interface down and up, respectively.


You could run your code in a virtual machine (User Mode Linux, VServer, OpenVZ, VirtualBox, VMWare, KVM, …) that you provide with only a host-only network interface (i.e. no routing from the VM to anywhere but the host machine).

If you run the application as a dedicated user appuser, you can restrict that user's network access. Make sure you have iptables (Ubuntu: iptables Install iptables http://bit.ly/software-small) and iproute2 (ip command) (Ubuntu: iproute Install iproute http://bit.ly/software-small, iproute-doc Install iproute-doc http://bit.ly/software-small) installed. Then you can use iptables to mark outgoing traffic from processes running as appuser, and ip rule and ip route to set up an alternate routing table for that user.

ip rule add fwmark 1 table 1
ip route add 127.0.0.0/0 table 1 dev lo
iptables -t mangle -A OUTPUT -m owner --uid-owner appuser -j MARK --set-mark 1

(Note: untested. See also more Linux IP packet mangling examples.)