Run a particular program but prevent it from accessing the Internet

Source: http://ubuntuforums.org/showthread.php?t=1188099

Rational:
Some programs like to access the Internet on their own. For example, many Windows programs I run in wine "call home", and Rhythmbox accesses Amazon each time I play a new MP3 in order to try and download cover art. For privacy purposes, you may want to run a program but ensure it *cannot* access the Internet.

Howto: (6 steps)

Step 1. Create a group called "no-internet" and add your user as a member of this new group.
(System->Administration->Users and Groups)

Step 2. Create a script (somewhere in your PATH) called "ni" (stands for No Internet) as follows:

sudo nano /usr/bin/ni

with this contents:

#!/bin/bash 
sg no-internet "$1"

And make it executable:

sudo chmod +x /usr/bin/ni

Step 3. Create a script called iptables_no-internet_rule as follows:

sudo nano /etc/network/if-pre-up.d/iptables_no-internet_rule

with this contents:

#!/bin/bash
iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP

And make it executable:

sudo chmod +x /etc/network/if-pre-up.d/iptables_no-internet_rule

Step 4. Logout and then log back in again to make the group permissions take effect.

Step 5. Enable the new firewall settings you made above in step 3 by running the following command:

sudo /etc/network/if-pre-up.d/iptables_no-internet_rule

Step 6. Finished. You can now run any program without allowing that program to access the network by using this command:

ni "program_name"

Examples:

- Note: the quotes around the program name are only there to allow you to enter commands needing parameters.

ni "ping www.google.com"
ni "wine install.exe"
ni firefox

will all run but fail to access the Internet because ping, wine, and firefox are run using the ni script as the group no-internet, which has been bared from outputting anything to other networks. Note: if you are just running a single word command like firefox you don't need the quotes. Also note, for testing, make sure firefox isn't already running because then it will already have Internet access. Close it first and then run it preceeded by ni.

Options

The above will actually prevent all outgoing network access by the programs run with ni; however, sometimes this may not be what you want. For example, certain local network access for games in wine might be acceptable. If you want to allow only local network access but still keep the Internet in general blocked, you can change the iptables config line in the file mentioned in Step 3 to the following:

iptables -A OUTPUT -m owner --gid-owner no-internet -d ! 192.168.0.0/24 -j DROP

change the 192.168.0.0 to match your local network as required.

Revert all changes

The above changes will persist even after system reboot so you can always run any program with the "ni" script to prevent it from getting out on the network. However, if you no longer want to have this feature enabled, you can uninstall the above by simply removing the two files created like this:

sudo rm /usr/bin/ni
sudo rm /etc/network/if-pre-up.d/iptables_no-internet_rule

and then remove the group "no-internet" from (System->Administration->Users and Groups).

I hope this helps others.