I shove the first process I as main user log in with into a "no network" namespace (just consists of a lo interface) so no program spawned from there (which is everything my main user account runs) can access the internet or even local network as they can't break out of that namespace. I move processes that I want to have network connectivity with netns into the appropriate namespace, usually running under their own, non-privileged user account. Have one set up for spawning a tor namespace instance, another for a VPN in which openvpn continually provides network access, then an alias to put programs into the normal ethernet namespace PID 1 is in (runit-init). As the two tor and vpn namespaces just give access to openvpn or a tor instance, there's no possibility of IP leakage. The programs in them cannot access or even see the normal ethernet interface from that scope.
It's a pretty low-overhead and simple setup. Namespaces are neat. I do this in gentoo.
Jaxon Bell
to clarify, programs in the vpn and tor namespaces do not have access to the local network either, nor do they have access to loopback of the other namespaces (each namespace runs it's "own 127.0.0.1") so that means I can access the internet via tor with my browser, but not a webserver that runs locally in the nonet namespace or on my LAN, as there's no way to route to it.
You can also further lock down processes with MAC in the kernel. I use Tomoyo as it's easy to understand. (not a friend of SELinux, because it's needlessly complicated and documentation also often tells you to "just use the defaults for now if you don't get it" which is not good security practice) My browser for example, even if it's compromised, cannot spawn for example a bash instance or network tools as it is not allowed to do so. Even with custom injected code, it cannot do anything interesting on my LAN or via my non-anonymous network connection as it's still trapped inside it's own network namespace.
Locking down your networking is a major part in staying reasonably anonymous. If you don't have the basic opsec down, everything on top of it is pointless.
