I stumbled upon very old forums in internet ,but all were cumbersome ,most common was to create separate nointernet group and run application with it ,i am surprised iptable don't have feature like this inbuilt ,my current solution is to use firejail
Flatpak and Snaps get their fair share of flak for a number of legitimate reasons, but one thing that I find really nice is that you can deny that permission to them.<p>Flatseal is actually a good GUI client for doing so. It can modify and tweak the permissions that different apps have. Just turn off the network permission and boom - you've turned off all access to the network for that app.<p>Of course this means your application has to be bundled into a Flatpak or Snap in some way (and the UX for doing this with Snaps is pretty bad IMO), so you'll probably find that your mileage may vary.<p>Another alternative is to use apparmor and disallow the `net_raw` capability on a per-application basis (this won't matter how your app is bundled) but that can be exhausting to set up individually.
you can try opensnitch <a href="https://github.com/evilsocket/opensnitch" rel="nofollow">https://github.com/evilsocket/opensnitch</a>