Simple shell script to temporarily deny internet access (but keep local network) to some given command

no-internet.sh

#!/usr/bin/env bash

# This is free and unencumbered software released into the public domain.

# Based on:
# https://serverfault.com/questions/550276/how-to-block-internet-access-to-certain-programs-on-linux

GROUP_NAME="no-internet"
IPv4_NETWORK="192.168.100.0/24"
IPv6_LOOPBACK="::1/128"

check_group() {
	if ! getent group $GROUP_NAME &>/dev/null; then
		echo "Group '$GROUP_NAME' does not exist. Please run: sudo ./no-internet group-setup"
		exit 1
	fi
}

group_setup() {
	sudo groupadd $GROUP_NAME
	sudo usermod -aG $GROUP_NAME $USER
}

# -----------------------------------------------------------------------------
# IPv4
# -----------------------------------------------------------------------------
check_iptables_rules() {
	sudo iptables -C OUTPUT -m owner --gid-owner $GROUP_NAME -d $IPv4_NETWORK -j ACCEPT 2>/dev/null && \
	sudo iptables -C OUTPUT -m owner --gid-owner $GROUP_NAME -d 127.0.0.0/8 -j ACCEPT 2>/dev/null && \
	sudo iptables -C OUTPUT -m owner --gid-owner $GROUP_NAME -j DROP 2>/dev/null
}
apply_iptables_rules() {
	echo "Applying iptables rules..."
	sudo iptables -A OUTPUT -m owner --gid-owner $GROUP_NAME -d $IPv4_NETWORK -j ACCEPT
	sudo iptables -A OUTPUT -m owner --gid-owner $GROUP_NAME -d 127.0.0.0/8 -j ACCEPT
	sudo iptables -A OUTPUT -m owner --gid-owner $GROUP_NAME -j DROP
}
remove_iptables_rules() {
	echo "Removing iptables rules..."
	sudo iptables -D OUTPUT -m owner --gid-owner $GROUP_NAME -d $IPv4_NETWORK -j ACCEPT 2>/dev/null
	sudo iptables -D OUTPUT -m owner --gid-owner $GROUP_NAME -d 127.0.0.0/8 -j ACCEPT 2>/dev/null
	sudo iptables -D OUTPUT -m owner --gid-owner $GROUP_NAME -j DROP 2>/dev/null
}

# -----------------------------------------------------------------------------
# IPv6
# -----------------------------------------------------------------------------
check_ip6tables_rules() {
	sudo ip6tables -C OUTPUT -m owner --gid-owner $GROUP_NAME -d $IPv6_LOOPBACK -j ACCEPT 2>/dev/null && \
	sudo ip6tables -C OUTPUT -m owner --gid-owner $GROUP_NAME -j DROP 2>/dev/null
}
apply_ip6tables_rules() {
	echo "Applying ip6tables rules..."
	sudo ip6tables -A OUTPUT -m owner --gid-owner $GROUP_NAME -d $IPv6_LOOPBACK -j ACCEPT
	sudo ip6tables -A OUTPUT -m owner --gid-owner $GROUP_NAME -j DROP
}
remove_ip6tables_rules() {
	echo "Removing ip6tables rules..."
	sudo ip6tables -D OUTPUT -m owner --gid-owner $GROUP_NAME -d $IPv6_LOOPBACK -j ACCEPT 2>/dev/null
	sudo ip6tables -D OUTPUT -m owner --gid-owner $GROUP_NAME -j DROP 2>/dev/null
}


# -----------------------------------------------------------------------------
# General
# -----------------------------------------------------------------------------
apply_rules() {
	check_iptables_rules || apply_iptables_rules
	check_ip6tables_rules || apply_ip6tables_rules
}

remove_rules() {
	remove_iptables_rules
	remove_ip6tables_rules
}

main() {
	case $1 in
		"group-setup")
			group_setup
			;;
		"exec")
			check_group
			apply_rules
			shift
			sg $GROUP_NAME "$@"
			remove_rules
			;;
		"drop-rules")
			check_group
			remove_rules
			;;
		*)
			echo "Usage: $0 {group-setup|exec|drop-rules}"
			;;
	esac
}

main "$@"