libsockfilter - connection filtering for dynamically linked applications
- server
LD_PRELOAD=libsockfilter_accept.so COMMAND ARG ...
- client
LD_PRELOAD=libsockfilter_connect.so COMMAND ARG ...
An experimental library for adding connection filtering to any dynamically linked application using tcprules rules.
In contrast to managing a firewall, libsockfilter allows applications
to enforce network access without requiring any special privileges.
libsockfilter requires libcdb.
apt install libcdb-dev
apt install ucspi-tcp-ipv6 # or ucspi-tcp
make
LIBSOCKFILTER_DEBUG
: Write errors to stdout (default: disabled).
LIBSOCKFILTER_ACCEPT
: Path to rules database. If the rules database is not accessible,
all connections are dropped.
LIBSOCKFILTER_CONNECT
: Path to rules database. If the rules database is not accessible,
all connections are dropped.
$ sudo apt install ucspi-tcp-ipv6 # or ucspi-tcp
# default is deny
# 192.168.1.1: deny specific match
# 127: deny any IP beginning with 127
# reset default to allow
cat <<EOF > rules.txt
192.168.1.1:deny
127:deny
::1:deny
:allow
EOF
cat rules.txt | tcprules rules.cdb rules.cdb.tmp
LD_PRELOAD=./libsockfilter_connect.so \
LIBSOCKFILTER_CONNECT=./rules.cdb \
nc -vvv 127.0.0.1 22
LD_PRELOAD=./libsockfilter_accept.so \
LIBSOCKFILTER_ACCEPT=./rules.cdb \
nc -vvv -k -l 9999
Using ipsum:
(
curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | awk '/^#/{ next } $2 ~ /^[1-2]$/{next} {print $1 ":deny"}'
echo :allow
) | tcprules rules.cdb rules.cdb.tmp
connect(2), accept(2), tcprules(1), hosts.allow(5), hosts.deny(5)