3

Is it possible to block the internet access of a process and then later unblock it while the process is still running?

Elizabeth Jones
  • 31
  • Is it possible to upvote a question twice? Why does it have so low position in google output? It should be first for google questions like "linux disable network for process". – quant2016 Oct 28 '22 at 12:53

3 Answers3

3

The answer is "it depends".

  1. Does the application access a known set of remote services or use a specific (unique) set of ports? In either case, you can create rules that block only access to those remote addresses or ports.

  2. If you start the process in its own network namespace (perhaps with masqueraded access to the outside world), it's very easy to create application-specific rules, because (a) you can create netfilter rules that are local to the namespace and (b) you can create global netfilter rules that refer to the application namespace by ip or device. The most common way of running a process inside its own network namespace is by using a container runtime like Docker or Podman, but you can also do this manually using unshare or ip, both of which are probably already available on your Linuxsystem. Trying to set things up manually can be tricky.

  3. If the application is running under a specific user or group id, you may be able to use the iptables owner module to match using those criteria.

larsks
  • 34,737
1

You can do that using cgroup2 and iptables. Let's say you want to block all network access (including loopback) to the firefox process.

# CGROUP_MOUNT_POINT=/sys/fs/cgroup

create cgroup


mkdir $CGROUP_MOUNT_POINT/disable-network


add iptables rule to disable network access from cgroup


iptables -A OUTPUT -m cgroup --path disable-network/ -j REJECT


add firefox processes to created cgroup


for pid in $(pidof firefox); do echo $pid > $CGROUP_MOUNT_POINT/disable-network/cgroup.procs; done


remove firefox processes from cgroup, moving them to root cgroup


for pid in $(pidof firefox); do echo $pid > $CGROUP_MOUNT_POINT/cgroup.procs; done

But this has some pitfalls. It's difficult to manage cgroups manually, also existing sockets won't be associated with the new cgroup. You may prefer to manage cgroups with systemd, using slices and systemd-run, and persistent iptables rules.

don_aman
  • 1,373
  • This seems to work, thanks. Is it possible to also forcibly close the existing sockets that the processes blocked using this method have open? – Elizabeth Jones Jul 20 '22 at 03:45
  • that could be done using lsof and ss -K, but seems a bit complex – don_aman Jul 20 '22 at 03:55
  • Interestingly, on one of my machines, the method in this answer worked, but on another one of my machines I had to create the cgroup in /sys/fs/cgroup/net_cls/disable-network instead and identify the cgroup by ID as described here. I don't fully understand why the method in this answer works on one machine and the one in that answer works on another. – Elizabeth Jones Jul 20 '22 at 19:01
  • no mystery, the linked answer uses cgroups version 1, my answer uses cgroups version 2; of course the latter is more recent and they are mutually exclusive – don_aman Jul 20 '22 at 19:19
0

Not per-process, but you can shutdown the network on your machine and bring it back any time you want. But that would be for all applications running.

For example, you can stop and start a network card eth0 (which is a default name for wired network)

# ifconfig eth0 down
# ifconfig eth0 up

or all network interfaces simultaneously:

# /etc/init.d/network stop
# /etc/init.d/network start
   - or depending on OS that can be
# service network stop 
# service network start

Of course, such commands requires root's access, so either switch to it, or sudo.

White Owl
  • 5,129