#!/bin/sh

# no_internet.sh
# 2023-04-09
# by Gernot Walzl

# This script blocks an application to access the internet.

PING_DEST_VERIFY=${PING_DEST_VERIFY:-'www.google.com'}

print_usage () {
  echo "Usage:"
  echo "  $0 --install"
  echo "  $0 --add-rules"
  echo "  $0 COMMAND"
  echo "Examples:"
  echo "  $0 'ping localhost'"
  echo "  $0 'ping $PING_DEST_VERIFY'"
  echo "  $0 bash"
}

install () {
  sudo addgroup --system no-internet
  sudo usermod -a -G no-internet "$USER"
}

add_rules () {
  local IPXTABLES="$1"
  sudo "$IPXTABLES" -A OUTPUT -o lo -j ACCEPT
  sudo "$IPXTABLES" -A OUTPUT -m owner --gid-owner no-internet -j LOG
  sudo "$IPXTABLES" -A OUTPUT -m owner --gid-owner no-internet -j REJECT
}

if [ -z "$1" ]; then
  print_usage
  exit 1
elif [ "$1" = "--install" ]; then
  install
elif [ "$1" = "--add-rules" ]; then
  add_rules iptables
  add_rules ip6tables
else
  if sg no-internet "ping -4 -c 1 $PING_DEST_VERIFY"; then
    add_rules iptables
  fi
  if sg no-internet "ping -6 -c 1 $PING_DEST_VERIFY"; then
    add_rules ip6tables
  fi
  sg no-internet "$@"
fi