Block internet on ubuntu
July 27, 2010 7:08 AM Subscribe
Is there a program like SelfControl for ubuntu?
SelfControl can stop internet connectivity for a specified period of time, and has whitelists or blacklists. I like SelfControl as it is not reset after you reboot your computer.
SelfControl can stop internet connectivity for a specified period of time, and has whitelists or blacklists. I like SelfControl as it is not reset after you reboot your computer.
Well a quick look at SelfControl and it's a program that either modifies /etc/hosts or the ip packet filter via 'ipfw'. Not sure how OS X manages super-user stuff, but the simple blocking part on ubuntu would be easy:
posted by zengargoyle at 9:23 AM on July 27, 2010
sudo /bin/bash -c "iptables -A OUTPUT -d www.example.com -j DROP; echo 'iptables -D OUTPUT -d www.example.com -j DROP' | at 'now + 3 min'"Which is probably how SelfControl does it minus the pretty interface. Add a DROP rule to the firewall, and add an 'at' job to delete the DROP rule after a specified time. The firewall rule should survive reboot (it's usually saved on shutdown and restored on boot), and the 'at' job should survive until it's executed. The whitelist or protocol based stuff just gets a bit more complicated, say making a sub-chain on the OUTPUT that drops all port 80 traffic and inserting an ALLOW rule for a particular site. You can read up on the IPTables and come up with something that suits your needs maybe.
posted by zengargoyle at 9:23 AM on July 27, 2010
Response by poster: I should have clarified that I don't want a browser specific blocker as it is really easy to install another browser using ubuntu.
zengargoyle, with your example is it possible to block all sites? Or do I need to specify the site. I've perused IPTables but I don't fully understand how they work.
Thank you both for your suggestions.
posted by a womble is an active kind of sloth at 3:37 PM on July 27, 2010
zengargoyle, with your example is it possible to block all sites? Or do I need to specify the site. I've perused IPTables but I don't fully understand how they work.
Thank you both for your suggestions.
posted by a womble is an active kind of sloth at 3:37 PM on July 27, 2010
Best answer: Hi,
I'm the designer of SelfControl, and I'd love to see a Ubuntu version created as well!
From what I understand the core code is very similar. It's all available on github and if anyone wants to create a Ubuntu/Linux fork, I'll help however I can.
Originally I designed the app and found a coder (the talented Charlie Stigler) through rent-a-coder.com. It cost me $100. Whoever wanted to commission a Linux port would probably be pretty popular. If you do, let me know.
posted by SteveLambert at 4:57 PM on July 27, 2010
I'm the designer of SelfControl, and I'd love to see a Ubuntu version created as well!
From what I understand the core code is very similar. It's all available on github and if anyone wants to create a Ubuntu/Linux fork, I'll help however I can.
Originally I designed the app and found a coder (the talented Charlie Stigler) through rent-a-coder.com. It cost me $100. Whoever wanted to commission a Linux port would probably be pretty popular. If you do, let me know.
posted by SteveLambert at 4:57 PM on July 27, 2010
a womble is an active kind of sloth: I'm assuming by "block all sites" you mean web sites and not other network things like say POP/IMAP for email or chat clients, etc., if that's the case you could just use 'iptables -I OUTPUT -p tcp -dport 80 -j DROP' to drop http traffic and you would probably want to add 'iptables -I OUTPUT -p tcp -dport 443 -j DROP' to cover https as well.
Do this:
Hit Alt-F2 and run the command 'gksu gnome-terminal'
gedit /usr/bin/SelfControl
Paste in and save/quit the following program.
chmod +x /usr/bin/SelfControl
Then you can add a Custom Application Launcher to the panel and have it run 'gksudo /usr/bin/SelfControl'
Change the time to something longer, and if it gets messed up for some reason you can run 'gksudo iptables -F' to delete the blocks by clearing all of the firewall rules. :) It is all about self control...
SteveLambert: I'm sure an Ubuntu version would be pretty cool, there was another request on the Ubuntu forums requesting a port of your program. I code all sorts of firewall/CISCO ACLs/networking stuff but never easy to use graphical UI stuff.
White listing seems problematic with all the possibilities of javascript and images and the like coming from different domains, you might have to add a dozen sites just to view a single page. Even blacklisting could be problematic if sites use round-robin DNS for load balancing purposes. It would be more fun to set up a simple server on your machine that serves up a "Oh no you dont!" page and redirect all of your web attempts there as a nasty reminder. Or give you a countdown timer for when you'll be able to browse again.
posted by zengargoyle at 8:58 PM on July 27, 2010
Do this:
Hit Alt-F2 and run the command 'gksu gnome-terminal'
gedit /usr/bin/SelfControl
Paste in and save/quit the following program.
#!/bin/bash PORTS="80 443" UNDO= for p in $PORTS do iptables -I OUTPUT -p tcp --dport $p -j DROP UNDO="$UNDO iptables -D OUTPUT -p tcp --dport $p -j DROP;" done echo $UNDO | at now + 1 minThen make the program executable
chmod +x /usr/bin/SelfControl
Then you can add a Custom Application Launcher to the panel and have it run 'gksudo /usr/bin/SelfControl'
Change the time to something longer, and if it gets messed up for some reason you can run 'gksudo iptables -F' to delete the blocks by clearing all of the firewall rules. :) It is all about self control...
SteveLambert: I'm sure an Ubuntu version would be pretty cool, there was another request on the Ubuntu forums requesting a port of your program. I code all sorts of firewall/CISCO ACLs/networking stuff but never easy to use graphical UI stuff.
White listing seems problematic with all the possibilities of javascript and images and the like coming from different domains, you might have to add a dozen sites just to view a single page. Even blacklisting could be problematic if sites use round-robin DNS for load balancing purposes. It would be more fun to set up a simple server on your machine that serves up a "Oh no you dont!" page and redirect all of your web attempts there as a nasty reminder. Or give you a countdown timer for when you'll be able to browse again.
posted by zengargoyle at 8:58 PM on July 27, 2010
zengargoyle - I like the comment about not coding GUI. Maybe there is someone who wants to collaborate?
IIRC we have a redirect page that just says "It's working"
And believe it or not, the whitelist/blacklist system we have seems to work well. (I get emails from grad students and doctoral candidates thanking me all the time.)
posted by SteveLambert at 1:46 AM on July 28, 2010
IIRC we have a redirect page that just says "It's working"
And believe it or not, the whitelist/blacklist system we have seems to work well. (I get emails from grad students and doctoral candidates thanking me all the time.)
posted by SteveLambert at 1:46 AM on July 28, 2010
Response by poster: Hi Steve - I really appreciate SelfControl. I'm a grad student and it has really helped me control browsing on my mac, and my productivity. I currently have a second computer within my reach that has ubuntu. Hence the question!
I saw the suggestion on the Ubuntu forums when I was searching, but could not find anything else.
posted by a womble is an active kind of sloth at 6:36 AM on July 28, 2010
I saw the suggestion on the Ubuntu forums when I was searching, but could not find anything else.
posted by a womble is an active kind of sloth at 6:36 AM on July 28, 2010
Best answer: I guess I have some questions about the applications functions that I don't want to pour through the source to figure out (and that may well be better answered by asking).
It seem that the Blacklist functionality is pretty straightforward, just deny all traffic to the listed hosts. It's the Whitelist that confuses me a bit. Does that mean block ALL traffic to ANY host not listed? (seems that would do things like cut out your DNS for other hosts unless you specifically add your DNS server to the list, same for DHCP lease renewals, network time services...). I take it in my head that it means more of block all HTTP, HTTPS, POP, IMAP, the secure versions of those, SSH, XMPP, IRC, ... the list goes on forever depending on what you consider a time waster vs. necessary network functionality.
I have managed a very rough Gtk2 Perl implementation. Ubuntu should have already installed all of the dependencies it uses, mine has and I don't remember installing them myself (or at the least they are in the standard package repositories).
Screenshot
The 'Allow listed, Deny Otherwise' doesn't work since I'm not sure how it should work.
No lables or multiple windows yet, and it doesn't do anything smart yet like list hosts already blocked or refuse to let you block them again, again I sorta don't know what users would really want all of the use cases to be.
It does have the list of hosts to deny, you can delete or add to the list, set the time in hours to block them (currently 1-24), and press start and presto.
You can tell I don't know Gtk2 at all, no nice layout or pop up windows. Of course the actual meat of the program is just a couple of screens while the UI part is already half a dozen or so screens. uggh.
There is some sort of IDE (Glade) that can be used to build an interface (even all the pretty Ubuntu Gnome compliant junk) and dump out some XML version, and a Perl module that can use that XML version. So if anybody wants to take a shot at how it should look...
Getting it all set up as a proper Ubuntu .deb package so it could be installed with a few clicks is a whole 'nother bucket of worms that I know little about.
posted by zengargoyle at 3:14 PM on July 28, 2010
It seem that the Blacklist functionality is pretty straightforward, just deny all traffic to the listed hosts. It's the Whitelist that confuses me a bit. Does that mean block ALL traffic to ANY host not listed? (seems that would do things like cut out your DNS for other hosts unless you specifically add your DNS server to the list, same for DHCP lease renewals, network time services...). I take it in my head that it means more of block all HTTP, HTTPS, POP, IMAP, the secure versions of those, SSH, XMPP, IRC, ... the list goes on forever depending on what you consider a time waster vs. necessary network functionality.
I have managed a very rough Gtk2 Perl implementation. Ubuntu should have already installed all of the dependencies it uses, mine has and I don't remember installing them myself (or at the least they are in the standard package repositories).
Screenshot
The 'Allow listed, Deny Otherwise' doesn't work since I'm not sure how it should work.
No lables or multiple windows yet, and it doesn't do anything smart yet like list hosts already blocked or refuse to let you block them again, again I sorta don't know what users would really want all of the use cases to be.
It does have the list of hosts to deny, you can delete or add to the list, set the time in hours to block them (currently 1-24), and press start and presto.
You can tell I don't know Gtk2 at all, no nice layout or pop up windows. Of course the actual meat of the program is just a couple of screens while the UI part is already half a dozen or so screens. uggh.
There is some sort of IDE (Glade) that can be used to build an interface (even all the pretty Ubuntu Gnome compliant junk) and dump out some XML version, and a Perl module that can use that XML version. So if anybody wants to take a shot at how it should look...
Getting it all set up as a proper Ubuntu .deb package so it could be installed with a few clicks is a whole 'nother bucket of worms that I know little about.
posted by zengargoyle at 3:14 PM on July 28, 2010
Wow nice. This gets into a level of detail that is a little beyond me, but I passed the link onto Charlie (the main developer) so hopefully I can get you some answers.
In the meantime, it would be great to get this on github. It might generate some interest in the code and get some other contributing?
posted by SteveLambert at 12:18 PM on July 29, 2010
In the meantime, it would be great to get this on github. It might generate some interest in the code and get some other contributing?
posted by SteveLambert at 12:18 PM on July 29, 2010
Charlie says...
"Whitelisting is simple: we block all IP traffic from the user's computer to any server/port except those listed; the exceptions are traffic on port 53 UDP and traffic on the loopback interface(s) (lo*). Incoming traffic is not blocked. As you pointed out, this is a very wide block. That's why the default is blacklist. But there's no real way we could look ahead and unblock all of the servers/ports the user will need. We could parse the indexes of web servers passed in and unblock servers linked to in the HTML, but then another page on the site could have a different set of dependencies. So yes, it will block SSH, XMPP, IRC, etc... but you could just add to your whitelist the rules *:22, *:5222, *:5223, *:6667, and *:7000. If you can think of another service that should probably be unblocked by default (besides DNS) and requires outcoming traffic (remember incoming packets are allowed), please let us know so we can add it to SelfControl. You will probably also find some that you want to unblock for Linux distros that we wouldn't for Mac, just because of the different user profiles.
Good luck!"
posted by SteveLambert at 2:19 AM on August 1, 2010
"Whitelisting is simple: we block all IP traffic from the user's computer to any server/port except those listed; the exceptions are traffic on port 53 UDP and traffic on the loopback interface(s) (lo*). Incoming traffic is not blocked. As you pointed out, this is a very wide block. That's why the default is blacklist. But there's no real way we could look ahead and unblock all of the servers/ports the user will need. We could parse the indexes of web servers passed in and unblock servers linked to in the HTML, but then another page on the site could have a different set of dependencies. So yes, it will block SSH, XMPP, IRC, etc... but you could just add to your whitelist the rules *:22, *:5222, *:5223, *:6667, and *:7000. If you can think of another service that should probably be unblocked by default (besides DNS) and requires outcoming traffic (remember incoming packets are allowed), please let us know so we can add it to SelfControl. You will probably also find some that you want to unblock for Linux distros that we wouldn't for Mac, just because of the different user profiles.
Good luck!"
posted by SteveLambert at 2:19 AM on August 1, 2010
Best answer: First beta version is up at this ugly page.
There is a standard Perl module version that I expect anybody to know what to do with if they choose it, and a Debian package for easy Ubuntu installation.
Sadly the Whitelist is not 'simple', the 'simple' version given needs TCP DNS, and breaks BOOTP/DHCP Renewal. It wouldn't work for any sites that include images or scripts from other servers. About the only way I can see making it work as expected would be to redirect through a local proxy that can allow/deny on application level information (e.g. allowing http requests with a referrer that is whitelisted).
It coould stand a bunch of cleanup, I only went the module route because I found an easy 'auto build debian package'. Still trying to figure out how to get a .desktop file installed in the proper place so that it shows up in the Applications menu (it works if I put it in place manually), and an icon and help and about all that other stuff that would be nice.
posted by zengargoyle at 6:27 PM on August 1, 2010 [2 favorites]
There is a standard Perl module version that I expect anybody to know what to do with if they choose it, and a Debian package for easy Ubuntu installation.
Sadly the Whitelist is not 'simple', the 'simple' version given needs TCP DNS, and breaks BOOTP/DHCP Renewal. It wouldn't work for any sites that include images or scripts from other servers. About the only way I can see making it work as expected would be to redirect through a local proxy that can allow/deny on application level information (e.g. allowing http requests with a referrer that is whitelisted).
It coould stand a bunch of cleanup, I only went the module route because I found an easy 'auto build debian package'. Still trying to figure out how to get a .desktop file installed in the proper place so that it shows up in the Applications menu (it works if I put it in place manually), and an icon and help and about all that other stuff that would be nice.
posted by zengargoyle at 6:27 PM on August 1, 2010 [2 favorites]
Awesome! I posted it on my site as well. Hopefully we can get some contributors. You're welcome to use our icon. Someone sent in a vectorized looking one as well if you're interested.
posted by SteveLambert at 1:21 AM on August 2, 2010 [3 favorites]
posted by SteveLambert at 1:21 AM on August 2, 2010 [3 favorites]
Temptation Blocker is also Open Source and for Windows.
posted by Duug at 11:43 AM on August 9, 2010 [1 favorite]
posted by Duug at 11:43 AM on August 9, 2010 [1 favorite]
Similar in concept and very well done is StayFocusd for Chrome.
posted by BurN_ at 5:41 PM on August 9, 2010
posted by BurN_ at 5:41 PM on August 9, 2010
Works good (thanks!), but I also get this to stderr:
iptables: Chain already exists
iptables v1.3.8: Unknown arg `-S'
Try `iptables -h' or 'iptables --help' for more information.
posted by telstar at 4:40 AM on August 10, 2010
iptables: Chain already exists
iptables v1.3.8: Unknown arg `-S'
Try `iptables -h' or 'iptables --help' for more information.
posted by telstar at 4:40 AM on August 10, 2010
telstar: Bug reports should go to , but anyway... that's probably a version problem with iptables. '-S' is available on iptables v1.4.4 and is shorthand for --list-rules [chain [rulenum]] 'Print the rules in a chain or all chains'. That part of the program is testing for the existence of a chain and creating it if it doesn't exist, since the test fails it attempts to create the chain and fails because it's already created. Shouldn't cause any problems, I just fixed the trunk to hide the error messages. There's one other pesky little bug which should have a fix up soon, but it's mostly harmless as well.
posted by zengargoyle at 12:16 PM on August 10, 2010
posted by zengargoyle at 12:16 PM on August 10, 2010
doh! ate the email: 'zengargoyle AT gmail.com'
posted by zengargoyle at 12:18 PM on August 10, 2010
posted by zengargoyle at 12:18 PM on August 10, 2010
This thread is closed to new comments.
posted by chrisamiller at 9:21 AM on July 27, 2010