Block internet on ubuntu
July 27, 2010 7:08 AM   Subscribe

Is there a program like SelfControl for ubuntu?

SelfControl can stop internet connectivity for a specified period of time, and has whitelists or blacklists. I like SelfControl as it is not reset after you reboot your computer.
posted by a womble is an active kind of sloth to Computers & Internet (17 answers total) 13 users marked this as a favorite
You can accompish this with browser plugins. Leechblock for firefox or chrome nanny for chrome both have the feature set you want.
posted by chrisamiller at 9:21 AM on July 27, 2010

Well a quick look at SelfControl and it's a program that either modifies /etc/hosts or the ip packet filter via 'ipfw'. Not sure how OS X manages super-user stuff, but the simple blocking part on ubuntu would be easy:
sudo /bin/bash -c "iptables -A OUTPUT -d -j DROP; echo 'iptables -D OUTPUT -d -j DROP' | at 'now + 3 min'"
Which is probably how SelfControl does it minus the pretty interface. Add a DROP rule to the firewall, and add an 'at' job to delete the DROP rule after a specified time. The firewall rule should survive reboot (it's usually saved on shutdown and restored on boot), and the 'at' job should survive until it's executed. The whitelist or protocol based stuff just gets a bit more complicated, say making a sub-chain on the OUTPUT that drops all port 80 traffic and inserting an ALLOW rule for a particular site. You can read up on the IPTables and come up with something that suits your needs maybe.
posted by zengargoyle at 9:23 AM on July 27, 2010

Response by poster: I should have clarified that I don't want a browser specific blocker as it is really easy to install another browser using ubuntu.

zengargoyle, with your example is it possible to block all sites? Or do I need to specify the site. I've perused IPTables but I don't fully understand how they work.

Thank you both for your suggestions.
posted by a womble is an active kind of sloth at 3:37 PM on July 27, 2010

Best answer: Hi,

I'm the designer of SelfControl, and I'd love to see a Ubuntu version created as well!

From what I understand the core code is very similar. It's all available on github and if anyone wants to create a Ubuntu/Linux fork, I'll help however I can.

Originally I designed the app and found a coder (the talented Charlie Stigler) through It cost me $100. Whoever wanted to commission a Linux port would probably be pretty popular. If you do, let me know.
posted by SteveLambert at 4:57 PM on July 27, 2010

a womble is an active kind of sloth: I'm assuming by "block all sites" you mean web sites and not other network things like say POP/IMAP for email or chat clients, etc., if that's the case you could just use 'iptables -I OUTPUT -p tcp -dport 80 -j DROP' to drop http traffic and you would probably want to add 'iptables -I OUTPUT -p tcp -dport 443 -j DROP' to cover https as well.

Do this:
Hit Alt-F2 and run the command 'gksu gnome-terminal'
gedit /usr/bin/SelfControl
Paste in and save/quit the following program.
PORTS="80 443"

for p in $PORTS
  iptables -I OUTPUT -p tcp --dport $p -j DROP
  UNDO="$UNDO iptables -D OUTPUT -p tcp --dport $p -j DROP;"

echo $UNDO | at now + 1 min
Then make the program executable
chmod +x /usr/bin/SelfControl

Then you can add a Custom Application Launcher to the panel and have it run 'gksudo /usr/bin/SelfControl'

Change the time to something longer, and if it gets messed up for some reason you can run 'gksudo iptables -F' to delete the blocks by clearing all of the firewall rules. :) It is all about self control...

SteveLambert: I'm sure an Ubuntu version would be pretty cool, there was another request on the Ubuntu forums requesting a port of your program. I code all sorts of firewall/CISCO ACLs/networking stuff but never easy to use graphical UI stuff.

White listing seems problematic with all the possibilities of javascript and images and the like coming from different domains, you might have to add a dozen sites just to view a single page. Even blacklisting could be problematic if sites use round-robin DNS for load balancing purposes. It would be more fun to set up a simple server on your machine that serves up a "Oh no you dont!" page and redirect all of your web attempts there as a nasty reminder. Or give you a countdown timer for when you'll be able to browse again.
posted by zengargoyle at 8:58 PM on July 27, 2010

zengargoyle - I like the comment about not coding GUI. Maybe there is someone who wants to collaborate?

IIRC we have a redirect page that just says "It's working"

And believe it or not, the whitelist/blacklist system we have seems to work well. (I get emails from grad students and doctoral candidates thanking me all the time.)
posted by SteveLambert at 1:46 AM on July 28, 2010

Response by poster: Hi Steve - I really appreciate SelfControl. I'm a grad student and it has really helped me control browsing on my mac, and my productivity. I currently have a second computer within my reach that has ubuntu. Hence the question!

I saw the suggestion on the Ubuntu forums when I was searching, but could not find anything else.
posted by a womble is an active kind of sloth at 6:36 AM on July 28, 2010

Best answer: I guess I have some questions about the applications functions that I don't want to pour through the source to figure out (and that may well be better answered by asking).

It seem that the Blacklist functionality is pretty straightforward, just deny all traffic to the listed hosts. It's the Whitelist that confuses me a bit. Does that mean block ALL traffic to ANY host not listed? (seems that would do things like cut out your DNS for other hosts unless you specifically add your DNS server to the list, same for DHCP lease renewals, network time services...). I take it in my head that it means more of block all HTTP, HTTPS, POP, IMAP, the secure versions of those, SSH, XMPP, IRC, ... the list goes on forever depending on what you consider a time waster vs. necessary network functionality.

I have managed a very rough Gtk2 Perl implementation. Ubuntu should have already installed all of the dependencies it uses, mine has and I don't remember installing them myself (or at the least they are in the standard package repositories).


The 'Allow listed, Deny Otherwise' doesn't work since I'm not sure how it should work.
No lables or multiple windows yet, and it doesn't do anything smart yet like list hosts already blocked or refuse to let you block them again, again I sorta don't know what users would really want all of the use cases to be.

It does have the list of hosts to deny, you can delete or add to the list, set the time in hours to block them (currently 1-24), and press start and presto.

You can tell I don't know Gtk2 at all, no nice layout or pop up windows. Of course the actual meat of the program is just a couple of screens while the UI part is already half a dozen or so screens. uggh.

There is some sort of IDE (Glade) that can be used to build an interface (even all the pretty Ubuntu Gnome compliant junk) and dump out some XML version, and a Perl module that can use that XML version. So if anybody wants to take a shot at how it should look...

Getting it all set up as a proper Ubuntu .deb package so it could be installed with a few clicks is a whole 'nother bucket of worms that I know little about.
posted by zengargoyle at 3:14 PM on July 28, 2010

Wow nice. This gets into a level of detail that is a little beyond me, but I passed the link onto Charlie (the main developer) so hopefully I can get you some answers.

In the meantime, it would be great to get this on github. It might generate some interest in the code and get some other contributing?
posted by SteveLambert at 12:18 PM on July 29, 2010

Charlie says...

"Whitelisting is simple: we block all IP traffic from the user's computer to any server/port except those listed; the exceptions are traffic on port 53 UDP and traffic on the loopback interface(s) (lo*). Incoming traffic is not blocked. As you pointed out, this is a very wide block. That's why the default is blacklist. But there's no real way we could look ahead and unblock all of the servers/ports the user will need. We could parse the indexes of web servers passed in and unblock servers linked to in the HTML, but then another page on the site could have a different set of dependencies. So yes, it will block SSH, XMPP, IRC, etc... but you could just add to your whitelist the rules *:22, *:5222, *:5223, *:6667, and *:7000. If you can think of another service that should probably be unblocked by default (besides DNS) and requires outcoming traffic (remember incoming packets are allowed), please let us know so we can add it to SelfControl. You will probably also find some that you want to unblock for Linux distros that we wouldn't for Mac, just because of the different user profiles.

Good luck!"
posted by SteveLambert at 2:19 AM on August 1, 2010

Best answer: First beta version is up at this ugly page.

There is a standard Perl module version that I expect anybody to know what to do with if they choose it, and a Debian package for easy Ubuntu installation.

Sadly the Whitelist is not 'simple', the 'simple' version given needs TCP DNS, and breaks BOOTP/DHCP Renewal. It wouldn't work for any sites that include images or scripts from other servers. About the only way I can see making it work as expected would be to redirect through a local proxy that can allow/deny on application level information (e.g. allowing http requests with a referrer that is whitelisted).

It coould stand a bunch of cleanup, I only went the module route because I found an easy 'auto build debian package'. Still trying to figure out how to get a .desktop file installed in the proper place so that it shows up in the Applications menu (it works if I put it in place manually), and an icon and help and about all that other stuff that would be nice.
posted by zengargoyle at 6:27 PM on August 1, 2010 [2 favorites]

Awesome! I posted it on my site as well. Hopefully we can get some contributors. You're welcome to use our icon. Someone sent in a vectorized looking one as well if you're interested.
posted by SteveLambert at 1:21 AM on August 2, 2010 [3 favorites]

Temptation Blocker is also Open Source and for Windows.
posted by Duug at 11:43 AM on August 9, 2010 [1 favorite]

Similar in concept and very well done is StayFocusd for Chrome.
posted by BurN_ at 5:41 PM on August 9, 2010

Works good (thanks!), but I also get this to stderr:

iptables: Chain already exists
iptables v1.3.8: Unknown arg `-S'
Try `iptables -h' or 'iptables --help' for more information.

posted by telstar at 4:40 AM on August 10, 2010

telstar: Bug reports should go to , but anyway... that's probably a version problem with iptables. '-S' is available on iptables v1.4.4 and is shorthand for --list-rules [chain [rulenum]] 'Print the rules in a chain or all chains'. That part of the program is testing for the existence of a chain and creating it if it doesn't exist, since the test fails it attempts to create the chain and fails because it's already created. Shouldn't cause any problems, I just fixed the trunk to hide the error messages. There's one other pesky little bug which should have a fix up soon, but it's mostly harmless as well.
posted by zengargoyle at 12:16 PM on August 10, 2010

doh! ate the email: 'zengargoyle AT'
posted by zengargoyle at 12:18 PM on August 10, 2010

« Older umm.. do I know you?   |   Biographies of abstract thinkers wanted Newer »
This thread is closed to new comments.