Is it possible to block the internet access of a process and then later unblock it while the process is still running?
1
-
Is it possible to upvote a question twice? Why does it have so low position in google output? It should be first for google questions like "linux disable network for process".quant2016– quant20162022-10-28 12:53:28 +00:00Commented Oct 28, 2022 at 12:53
Add a comment
|
3 Answers
The answer is "it depends".
Does the application access a known set of remote services or use a specific (unique) set of ports? In either case, you can create rules that block only access to those remote addresses or ports.
If you start the process in its own network namespace (perhaps with masqueraded access to the outside world), it's very easy to create application-specific rules, because (a) you can create netfilter rules that are local to the namespace and (b) you can create global netfilter rules that refer to the application namespace by ip or device. The most common way of running a process inside its own network namespace is by using a container runtime like Docker or Podman, but you can also do this manually using
unshareorip, both of which are probably already available on your Linuxsystem. Trying to set things up manually can be tricky.If the application is running under a specific user or group id, you may be able to use the iptables
ownermodule to match using those criteria.
You can do that using cgroup2 and iptables. Let's say you want to block all network access (including loopback) to the firefox process.
# CGROUP_MOUNT_POINT=/sys/fs/cgroup
create cgroup
# mkdir $CGROUP_MOUNT_POINT/disable-network
add iptables rule to disable network access from cgroup
# iptables -A OUTPUT -m cgroup --path disable-network/ -j REJECT
add firefox processes to created cgroup
# for pid in $(pidof firefox); do echo $pid > $CGROUP_MOUNT_POINT/disable-network/cgroup.procs; done
remove firefox processes from cgroup, moving them to root cgroup
# for pid in $(pidof firefox); do echo $pid > $CGROUP_MOUNT_POINT/cgroup.procs; done
But this has some pitfalls. It's difficult to manage cgroups manually, also existing sockets won't be associated with the new cgroup. You may prefer to manage cgroups with systemd, using slices and systemd-run, and persistent iptables rules.
-
This seems to work, thanks. Is it possible to also forcibly close the existing sockets that the processes blocked using this method have open?Elizabeth Jones– Elizabeth Jones2022-07-20 03:45:13 +00:00Commented Jul 20, 2022 at 3:45
-
that could be done using
lsofandss -K, but seems a bit complexdon_aman– don_aman2022-07-20 03:55:40 +00:00Commented Jul 20, 2022 at 3:55 -
Interestingly, on one of my machines, the method in this answer worked, but on another one of my machines I had to create the cgroup in /sys/fs/cgroup/net_cls/disable-network instead and identify the cgroup by ID as described here. I don't fully understand why the method in this answer works on one machine and the one in that answer works on another.Elizabeth Jones– Elizabeth Jones2022-07-20 19:01:34 +00:00Commented Jul 20, 2022 at 19:01
-
no mystery, the linked answer uses cgroups version 1, my answer uses cgroups version 2; of course the latter is more recent and they are mutually exclusivedon_aman– don_aman2022-07-20 19:19:58 +00:00Commented Jul 20, 2022 at 19:19
Not per-process, but you can shutdown the network on your machine and bring it back any time you want. But that would be for all applications running.
For example, you can stop and start a network card eth0 (which is a default name for wired network)
# ifconfig eth0 down
# ifconfig eth0 up
or all network interfaces simultaneously:
# /etc/init.d/network stop
# /etc/init.d/network start
- or depending on OS that can be
# service network stop
# service network start
Of course, such commands requires root's access, so either switch to it, or sudo.
