Provides a dedicated configuration pathway and security wrapper for the Docker MCP Toolkit, enabling users to intercept, log, and filter tool calls for containerized MCP servers.
mcpwall
iptables for MCP. Blocks dangerous tool calls, scans for secret leakage, logs everything. No AI, no cloud, pure rules.
Sits between your AI coding tool (Claude Code, Cursor, Windsurf) and MCP servers, intercepting every JSON-RPC message and enforcing YAML-defined policies.
Why
MCP servers have full access to your filesystem, shell, databases, and APIs. When an AI agent calls tools/call, the server executes whatever the agent asks — reading SSH keys, running rm -rf, exfiltrating secrets. There's no built-in policy layer.
mcpwall adds one. It's a transparent stdio proxy that:
Blocks sensitive file access —
.ssh/,.env, credentials, browser dataBlocks dangerous commands —
rm -rf, pipe-to-shell, reverse shellsScans for secret leakage — API keys, tokens, private keys (regex + entropy)
Logs everything — JSON Lines audit trail of every tool call
Uses zero AI — deterministic rules, no LLM decisions, no cloud calls
Install
Or use directly with npx:
Quick Start
Option 1: Docker MCP Toolkit
If you use Docker MCP Toolkit (the most common setup), change your MCP config from:
To:
That's it. mcpwall now sits in front of all your Docker MCP servers, logging every tool call and blocking dangerous ones. No config file needed — sensible defaults apply automatically.
Option 2: Interactive setup
This finds your existing MCP servers in ~/.claude.json or .mcp.json and wraps them.
Option 3: Manual wrapping (any MCP server)
Change your MCP config from:
To:
Option 4: Wrap a specific server
How It Works
Intercepts every JSON-RPC request on stdin
Parses
tools/callrequests — extracts tool name and argumentsWalks rules top-to-bottom, first match wins
Allow: forward to real server
Deny: return JSON-RPC error to host, log, do not forward
Responses from server are forwarded back and logged
Configuration
Config is YAML. mcpwall looks for:
~/.mcpwall/config.yml(global).mcpwall.yml(project, overrides global)
If neither exists, built-in default rules apply.
Example config
Rule matchers
Matcher | Description |
| Regular expression test on the value |
| Glob pattern (uses minimatch) |
| Matches if path is NOT under the given directory. Supports |
| When |
The special key _any_value applies the matcher to ALL argument values.
Built-in rule packs
rules/default.yml— sensible defaults (blocks SSH, .env, credentials, dangerous commands, secrets)rules/strict.yml— deny-by-default paranoid mode (whitelist only project reads/writes)
Use strict mode:
CLI
Options:
-c, --config <path>— path to config file--log-level <level>— override log level (debug/info/warn/error)
Audit Logs
All tool calls are logged by default — both allowed and denied. Logs are written as JSON Lines to ~/.mcpwall/logs/YYYY-MM-DD.jsonl:
Denied entries have args redacted to prevent secrets from leaking into logs.
mcpwall also prints color-coded output to stderr so you can see decisions in real time.
Security Design
Fail closed on invalid config: Bad regex in a rule crashes at startup, never silently passes traffic
Args redacted on deny: Blocked tool call arguments are never written to logs
Path traversal defense:
not_undermatcher usespath.resolve()to prevent../bypassPre-compiled regexes: All patterns compiled once at startup for consistent performance
No network: Zero cloud calls, zero telemetry, runs entirely local
Deterministic: Same input + same rules = same output, every time
License
FSL-1.1-ALv2 — source-available, converts to Apache 2.0 after 2 years.
mcpwall is not affiliated with or endorsed by Anthropic or the Model Context Protocol project. MCP is an open protocol maintained by the Agentic AI Foundation under the Linux Foundation.