Allegedly, on or about 04 May 2014, Someone sent:

I'm planning to install a fedora system to a USB flash drive, and then give that to someone to boot their machine from. I don't have details on the hardware of the target machine, but I'd like to ensure that there's no network activity for the duration of their session in the environment.

And you can't simply get them to unplug the network cable?

Are you trying to protect them from some expected harm while resolving some problem?

Without knowing what network hardware is on the PC, it's a bit hard to block the modules or drivers that might be loaded. You'd have to block them all, to be sure.

A simpler method may be to turn on the firewall, or hard code some iptables rules, so that only 127.0.0.1 can communicate with itself. I think you will need to keep that going, or they'll never be able to do anything with the computer (such as start X).

With prior releases, I would have run this script (below), I'm not sure if it covers any more recent changes to iptables. See the man file, but it seems to work on Fedora 17. You can't even ping another PC on the LAN using its numerical IP address. The last line saves it as the default iptables configuration, so after you've run this script just the once, these rules will get loaded when the machine boots up.

#!/bin/bash

## Flush any pre-existing rules: iptables --flush INPUT iptables --flush OUTPUT iptables --flush FORWARD

iptables --flush iptables --table nat --flush

iptables --delete-chain iptables --table nat --delete-chain

## Set default (policy) rules: iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP

## It MAY be necessary to allow 127.0.0.1 traffic: iptables --append INPUT --jump ACCEPT --out-interface lo --source 127.0.0.1/255.0.0.0 iptables --append OUTPUT --jump ACCEPT --out-interface lo --source 127.0.0.1/255.0.0.0

iptables-save > /etc/sysconfig/iptables