You are not logged in.

Pages: 1

#1 2025-04-24 14:31:48

dab9966
Member
Registered: 2023-12-05
Posts: 44

Ways to allow Internet to application?

Good afternoon,

I setup nftables on Arch Linux to block everything, except my proxy user. This gives very good isolation because you need username & password to connect to proxy and access internet. I found that many apps were doing requests when I wouldn't expect them.

Now I also play some video games on Steam, but it doesn't have built-in Proxy. I attempted to see if setting $HTTP_PROXY variable had any effect, but unfortunately it didn't launch Steam and it was still trying to connect without Proxy.

So since I am blocking Internet on my whole OS, is there a good way to grant single application access to Internet?

I was thinking of below

1. Setup steam user
2. Allow steam user to access Internet using nftables
3. Every time you launch steam, you would have to assume steam role, but that requires sudo command (root) which I would prefer not to use if there is really no need. For example:

sudo -u steam /usr/bin/steam "$@"

Is that good approach, or is there something better?

I know in systemd we can run applications as users, but I think there is no need to run Steam as systemd service. I also looked at .desktop entries (/usr/share/applications) that we can create, but with this one we can't assume roles, the way systemd works.

Last edited by dab9966 (2025-04-24 14:35:37)

Offline

#2 2025-04-24 19:16:32

seth
Member
From: Won't reply 2 private help req
Registered: 2012-09-03
Posts: 75,315

Re: Ways to allow Internet to application?

Are you looking for eg. https://wiki.archlinux.org/title/Firejail ?

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Online

#3 2025-04-24 21:09:12

dab9966
Member
Registered: 2023-12-05
Posts: 44

Re: Ways to allow Internet to application?

Hello, thank you for responding.

Firejail is great alternative to bubblewrap - which I already use and its very useful tool for sandboxing. If I'm not mistaken, even if you grant internet access through these, the iptables/nftables would still take priority so your traffic will go like this:

App -> FireJail/Bubblewrap -> AppArmor -> Nftables/Iptables (os-level Internet block happening here, except Proxy user)

I found a wrapper script on GitHub https://github.com/ShellCode33/ArchLinu … in/proxify, which runs your application with proxy environment variables. This seems to progress and launches steam (most likely because the right env variable was set HTTPS_PROXY rather than HTTP_PROXY, but then steam still can't load front page with error message "Unauthorized to connect to Proxy", so I assume authentication is not directly supported by setting something like below

proxy=http://<username>:<password>@127.0.0.1:<port>

export HTTP{S,}_PROXY=$proxy
export http{s,}_proxy=$proxy

This works with stuff like 

curl

but not 

steam

.

Offline

#4 2025-04-24 23:33:55

christian-oudard
Member
Registered: 2023-02-15
Posts: 5

Re: Ways to allow Internet to application?

Would it work to launch Steam with proxychains-ng?

https://archlinux.org/packages/extra/x8 … chains-ng/
https://wiki.archlinux.org/title/Proxy_server
https://steamcommunity.com/app/221410/d … 069287780/

Last edited by christian-oudard (2025-04-24 23:35:20)

Offline

#5 2025-04-25 10:52:04

dab9966
Member
Registered: 2023-12-05
Posts: 44

Re: Ways to allow Internet to application?

I was typing response here and then it logged me out, and my detailed reply is gone lol.

Anyway here is shortened version

christian-oudard wrote:

Would it work to launch Steam with proxychains-ng?

Maybe. There are things it wouldn't work with, as this only covers glib connect() calls, and completely skips UDP I think. You might be able to force -tcp in steam, but how that would translate into latency is not something I've tested yet. In addition, that would be yet another application/layer to add to your stack just for the sake of running steam

Other things considered:

- sg <proxy group> -c "command"
- newgrp <proxy group>

# issues with running these:
1. requires your user to be part of group that has internet access (proxy)
2. does not require sudo, which means anything can just change group and grant access to internet (bypassing proxy auth)
- sudo -g groupname command

# with this command, your user does not have to be part of the proxy group that has internet access
# requires to be able to run sudo
# you run sudo command, but don't assume root privileges, its just to change group
# the issue with this, even if its minimal issue and unlikely to affect anything is that the command you are running
# is now part of this group, which has access to all files, i.e. proxy itself

the most secure I think would be to have this setup: creating separate user and group specifically for steam video games, and granting access through nftables. - of course this works for me because my end goal is to be able to limit network exposure. For someone who requires proxy, they would most likely need to run proxychains-ng until more official support is provided

Last edited by dab9966 (2025-04-25 10:56:16)

Offline

Pages: 1

Board footer

Powered by FluxBB