diff --git a/cmd/buildlet/buildlet.go b/cmd/buildlet/buildlet.go
index 4cd8eed26..b999dda7f 100644
--- a/cmd/buildlet/buildlet.go
+++ b/cmd/buildlet/buildlet.go
@@ -914,14 +914,17 @@ func handleExec(w http.ResponseWriter, r *http.Request) {
 		f.Flush()
 	}
 
+	postEnv := r.PostForm["env"]
+
 	goarch := "amd64" // unless we find otherwise
-	for _, pair := range r.PostForm["env"] {
-		if hasPrefixFold(pair, "GOARCH=") {
-			goarch = pair[len("GOARCH="):]
-		}
+	if v := getEnv(postEnv, "GOARCH"); v != "" {
+		goarch = v
+	}
+	if v, _ := strconv.ParseBool(getEnv(postEnv, "GO_DISABLE_OUTBOUND_NETWORK")); v {
+		disableOutboundNetwork()
 	}
 
-	env := append(baseEnv(goarch), r.PostForm["env"]...)
+	env := append(baseEnv(goarch), postEnv...)
 
 	if v := processTmpDirEnv; v != "" {
 		env = append(env, "TMPDIR="+v)
@@ -1851,3 +1854,28 @@ func checkAndroidEmulator() error {
 		return nil
 	}
 }
+
+var disableNetOnce sync.Once
+
+func disableOutboundNetwork() {
+	if runtime.GOOS != "linux" {
+		return
+	}
+	disableNetOnce.Do(disableOutboundNetworkLinux)
+}
+
+func disableOutboundNetworkLinux() {
+	const iptables = "/sbin/iptables"
+	const vcsTestGolangOrgIP = "35.184.38.56" // vcs-test.golang.org
+	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "1", "-m", "state", "--state", "NEW", "-d", vcsTestGolangOrgIP, "-p", "tcp", "-j", "ACCEPT"))
+	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "2", "-m", "state", "--state", "NEW", "-d", "10.0.0.0/8", "-p", "tcp", "-j", "ACCEPT"))
+	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "3", "-m", "state", "--state", "NEW", "-p", "tcp", "--dport", "443", "-j", "REJECT", "--reject-with", "icmp-host-prohibited"))
+	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "3", "-m", "state", "--state", "NEW", "-p", "tcp", "--dport", "22", "-j", "REJECT", "--reject-with", "icmp-host-prohibited"))
+}
+
+func runOrLog(cmd *exec.Cmd) {
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		log.Printf("failed to run %s: %v, %s", cmd.Args, err, out)
+	}
+}
diff --git a/cmd/xb/xb.go b/cmd/xb/xb.go
index 1704cbe95..a7052bac5 100644
--- a/cmd/xb/xb.go
+++ b/cmd/xb/xb.go
@@ -147,7 +147,7 @@ func runDocker() {
 			case "golang/buildlet-stage0":
 				log.Printf("building dependent layer %q", layer)
 				buildStage0Container()
-			case "debian:stretch", "debian:buster":
+			case "debian:jessie", "debian:stretch", "debian:buster":
 				// TODO: validate version? probably doesn't matter, as they're
 				// pretty frozen and just get security/bug updates, and most of
 				// our Dockerfiles start with apt-get update && upgrade steps
diff --git a/dashboard/builders.go b/dashboard/builders.go
index ad8dc3fb9..9c9b4cdd2 100644
--- a/dashboard/builders.go
+++ b/dashboard/builders.go
@@ -1228,7 +1228,11 @@ func init() {
 		HostType:          "host-linux-jessie",
 		ShouldRunDistTest: fasterTrybots,
 		tryBot:            defaultTrySet(),
-		env:               []string{"GOARCH=386", "GOHOSTARCH=386"},
+		env: []string{
+			"GOARCH=386",
+			"GOHOSTARCH=386",
+			"GO_DISABLE_OUTBOUND_NETWORK=1",
+		},
 		numTestHelpers:    1,
 		numTryTestHelpers: 3,
 	})
@@ -1239,9 +1243,12 @@ func init() {
 		env:      []string{"GOARCH=386", "GOHOSTARCH=386", "GO386=387"},
 	})
 	addBuilder(BuildConfig{
-		Name:              "linux-amd64",
-		HostType:          "host-linux-jessie",
-		tryBot:            defaultTrySet(),
+		Name:     "linux-amd64",
+		HostType: "host-linux-jessie",
+		tryBot:   defaultTrySet(),
+		env: []string{
+			"GO_DISABLE_OUTBOUND_NETWORK=1",
+		},
 		MaxAtOnce:         3,
 		numTestHelpers:    1,
 		numTryTestHelpers: 4,
@@ -1305,6 +1312,7 @@ func init() {
 		Notes:     "cgo disabled",
 		env: []string{
 			"CGO_ENABLED=0",
+			"GO_DISABLE_OUTBOUND_NETWORK=1",
 			// This USER=root was required for Docker-based builds but probably isn't required
 			// in the VM anymore, since the buildlet probably already has this in its environment.
 			// (It was required because without cgo, it couldn't find the username)
diff --git a/env/linux-x86-jessie/Dockerfile b/env/linux-x86-jessie/Dockerfile
index da4340b30..a272e5faf 100644
--- a/env/linux-x86-jessie/Dockerfile
+++ b/env/linux-x86-jessie/Dockerfile
@@ -35,6 +35,7 @@ RUN apt-get update && apt-get install -y \
 	libopenal-dev \
 	fonts-droid \
 	openssh-server \
+	iptables \
 	&& rm -rf /var/lib/apt/lists/*
 
 RUN mkdir -p /go1.4-amd64 \
diff --git a/env/linux-x86-stretch/Dockerfile b/env/linux-x86-stretch/Dockerfile
index 202ed7490..67e344055 100644
--- a/env/linux-x86-stretch/Dockerfile
+++ b/env/linux-x86-stretch/Dockerfile
@@ -38,6 +38,7 @@ RUN apt-get update && apt-get install -y \
 	git \
 	mercurial \
 	subversion \
+	iptables \
 	&& rm -rf /var/lib/apt/lists/*
 
 RUN mkdir -p /go1.4-amd64 \