This is a quick post describing how to prevent an application from accessing the internet in linux. There are multiple ways to achieve it, most of the guides on the internet would ask you to create a dedicated no-internet usergroup and then use iptables to DROP all packets for apps ran by the no-internet usergroup.
However, in this post let’s look at a more convenient and better way to achieve the same with a sandbox environment for the application you’d like to prevent from accessing the internet. Let’s say we have an appimage that we do not want to talk to the internet. We can use firejail to run it in a sandboxed environment:
firejail --net=none --appimage --noprofile ./app.AppImage--net=nonetells it to not provide any network interface namespaces to the application--app-imagetells it to sandbox an appimage file--no-profiletells it to avoid using any security profiles. There are several existing profile files which can be used for standard known applications. However, in this let’s skip the profiles.