libsockfilter - connection filtering for dynamically linked applications

• server

LD_PRELOAD=libsockfilter_accept.so COMMAND ARG ...

• client

LD_PRELOAD=libsockfilter_connect.so COMMAND ARG ...

An experimental library for adding connection filtering to any dynamically linked application using tcprules rules.

In contrast to managing a firewall, libsockfilter allows applications to enforce network access without requiring any special privileges.

libsockfilter requires libcdb.

apt install libcdb-dev
apt install ucspi-tcp-ipv6 # or ucspi-tcp
make

LIBSOCKFILTER_DEBUG : Write errors to stdout (default: disabled).

LIBSOCKFILTER_ACCEPT : Path to rules database. If the rules database is not accessible, all connections are dropped.

LIBSOCKFILTER_CONNECT : Path to rules database. If the rules database is not accessible, all connections are dropped.

$ sudo apt install ucspi-tcp-ipv6 # or ucspi-tcp

# default is deny
# 192.168.1.1: deny specific match
# 127: deny any IP beginning with 127
# reset default to allow
cat <<EOF > rules.txt
192.168.1.1:deny
127:deny
::1:deny
:allow
EOF

cat rules.txt | tcprules rules.cdb rules.cdb.tmp

LD_PRELOAD=./libsockfilter_connect.so \
 LIBSOCKFILTER_CONNECT=./rules.cdb \
 nc -vvv 127.0.0.1 22

LD_PRELOAD=./libsockfilter_accept.so \
 LIBSOCKFILTER_ACCEPT=./rules.cdb \
 nc -vvv -k -l 9999

Using ipsum:

(
curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | awk '/^#/{ next } $2 ~ /^[1-2]$/{next} {print $1 ":deny"}'
echo :allow
) | tcprules rules.cdb rules.cdb.tmp

connect(2), accept(2), tcprules(1), hosts.allow(5), hosts.deny(5)