Last active
June 11, 2018 13:35
-
-
Save cyphunk/8efa7da18cedcbe7b775935feff578ed to your computer and use it in GitHub Desktop.
prevent program from accessing internet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # As this script may be called from sudo, suggest safe use: | |
| l=($(ls -l $0)) | |
| [ ${l[0]:2:1} != "-" ] && [ "${l[2]}" != "root" ] || | |
| [ ${l[0]:5:1} != "-" ] && [ "${l[3]}" != "root" ] || | |
| [ ${l[0]:8:1} != "-" ] || [ -L $0 ] || [ -L ${0%/*} ] && | |
| { echo -e "no symlinks and only root should be able to modify.\n${l[@]}"; exit 1;} | |
| if [ ! "$1" ]; then echo "usage: $0 <command> [arguments]"; exit 1; fi | |
| GRP=no-internet ## change to your taste | |
| # CREATE GROUP AND ADD USER | |
| usr=$(whoami) | |
| grep -q "^$GRP:" /etc/group > /dev/null || sudo groupadd $GRP || exit | |
| id $usr | grep -q "$GRP" || sudo usermod -aG $GRP $usr || exit | |
| # INIT RULES | |
| # better to not make permanent. other applications may create other | |
| # rules that reexposre your application to the internet. | |
| echo "Flush other rules that might interferer" | |
| sudo iptables -F OUTPUT || exit | |
| echo "Enabling rules" | |
| sudo iptables -A OUTPUT -m owner --gid-owner $GRP -j LOG --log-prefix 'PACKET DROPPED: ' --log-level 0 || exit | |
| sudo iptables -A OUTPUT -m owner --gid-owner $GRP -j DROP || exit | |
| # MAKE SURE NET IS DOWN | |
| #sg no-internet "ping -c 1 -W 1 www.google.com" | |
| sg no-internet "nc -z google.com 80" 2> /dev/null | |
| if [ $? -eq 0 ]; then | |
| echo -e "\n### test failed (internet is up) exiting ###\n" | |
| exit | |
| else | |
| echo -e "\n### test succeeded (internet is down) ###\n" | |
| fi | |
| sg $GRP "$*" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment