Deterministic security proxy for MCP tool calls — iptables for MCP.
mcpwall
iptables for MCP. Blocks dangerous tool calls, scans for secret leakage, logs everything. No AI, no cloud, pure rules.
Sits between your AI coding tool (Claude Code, Cursor, Windsurf) and MCP servers, intercepting every JSON-RPC message and enforcing YAML-defined policies.
Why
MCP servers have full access to your filesystem, shell, databases, and APIs. When an AI agent calls tools/call, the server executes whatever the agent asks — reading SSH keys, running rm -rf, exfiltrating secrets. There's no built-in policy layer.
mcpwall adds one. It's a transparent stdio proxy that:
- Blocks sensitive file access —
.ssh/,.env, credentials, browser data - Blocks dangerous commands —
rm -rf, pipe-to-shell, reverse shells - Scans for secret leakage — API keys, tokens, private keys (regex + entropy)
- Scans server responses — redacts leaked secrets, blocks prompt injection patterns, flags suspicious content
- Logs everything — JSON Lines audit trail of every tool call and response
- Uses zero AI — deterministic rules, no LLM decisions, no cloud calls
- Test rules without running the proxy —
mcpwall checkgives instant pass/fail on any tool call
Install
npm install -g mcpwall
Or use directly with npx:
npx mcpwall -- npx -y @modelcontextprotocol/server-filesystem /path/to/dir
Quick Start
Option 1: Docker MCP Toolkit
If you use Docker MCP Toolkit (the most common setup), change your MCP config from:
{
"mcpServers": {
"MCP_DOCKER": {
"command": "docker",
"args": ["mcp", "gateway", "run"]
}
}
}
To:
{
"mcpServers": {
"MCP_DOCKER": {
"command": "npx",
"args": ["-y", "mcpwall", "--", "docker", "mcp", "gateway", "run"]
}
}
}
That's it. mcpwall now sits in front of all your Docker MCP servers, logging every tool call and blocking dangerous ones. No config file needed — sensible defaults apply automatically.
Option 2: Interactive setup
npx mcpwall init
This finds your existing MCP servers in Claude Code, Cursor, Windsurf, and VS Code configs and wraps them. Optionally pick a security profile:
npx mcpwall init --profile company-laptop # stricter rules for managed machines
npx mcpwall init --profile strict # deny-by-default whitelist mode
Option 3: Manual wrapping (any MCP server)
Change your MCP config from:
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "/Users/me/projects"]
}
}
}
To:
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": [
"-y", "mcpwall", "--",
"npx", "-y", "@modelcontextprotocol/server-filesystem", "/Users/me/projects"
]
}
}
}
Option 4: Wrap a specific server
npx mcpwall wrap filesystem
How It Works
┌──────────────┐ stdio ┌──────────────┐ stdio ┌──────────────┐
│ Claude Code │ ──────────▶ │ mcpwall │ ──────────▶ │ Real MCP │
│ (MCP Host) │ ◀────────── │ (proxy) │ ◀────────── │ Server │
└──────────────┘ └──────────────┘ └──────────────┘
▲ Inbound rules │
│ (block dangerous requests) │
│ │
└── Outbound rules ◀───────────┘
(redact secrets, block injection)
Inbound (requests):
- Intercepts every JSON-RPC request on stdin
- Parses
tools/callrequests — extracts tool name and arguments - Walks rules top-to-bottom, first match wins
- Allow: forward to real server
- Deny: return JSON-RPC error to host, log, do not forward
Outbound (responses):
- Parses every response from the server before forwarding
- Evaluates against
outbound_rules(same first-match-wins semantics) - Allow: forward unchanged
- Deny: replace response with blocked message
- Redact: surgically replace secrets with `[REDACTED BY MCPW
Configuration
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": [
"-y", "mcpwall", "--",
"npx", "-y", "@modelcontextprotocol/server-filesystem", "/Users/me/projects"
]
}
}
}