diff --git a/install.sh b/install.sh
index 186b6f1..65b9a71 100755
--- a/install.sh
+++ b/install.sh
@@ -265,6 +265,10 @@ install_exec mxqi/mxqi                                    "$DESTDIR$usr_bindir/m
 install_exec mozilla-launcher/mozilla-launcher            "$DESTDIR$usr_libdir/mariux64/mozilla_launcher"
 install_exec mozilla-launcher/fix-thunderbird-amd         "$DESTDIR$usr_bindir/fix-thunderbird-amd"
 install_exec syncthing/startstop-syncthing.sh             "$DESTDIR$usr_sbindir/startstop-syncthing.sh"
+install_data restrict-module-load/restrict-module-load.timer "$DESTDIR$systemdunitdir/restrict-module-load.timer"
+install_data restrict-module-load/restrict-module-load.service "$DESTDIR$systemdunitdir/restrict-module-load.service"
+install_exec restrict-module-load/modprobe-restricted     "$DESTDIR$usr_sbindir/modprobe-restricted"
+install_data restrict-module-load/restricted-module-load.whitelist "$DESTDIR$sysconfdir/restricted-module-load.whitelist"
 
 postinstall
 exit
diff --git a/restrict-module-load/modprobe-restricted b/restrict-module-load/modprobe-restricted
new file mode 100755
index 0000000..2f37265
--- /dev/null
+++ b/restrict-module-load/modprobe-restricted
@@ -0,0 +1,22 @@
+#! /bin/bash
+
+# kernel sometimes calls with "-q -- module"
+for arg in "$@" ; do
+    case "$arg" in
+        -*)
+            ;;
+        *)
+            alias="$arg"
+            ;;
+    esac
+done
+
+alias="${alias:?parameter missing}"
+module="$(modinfo -F name "$alias" 2>/dev/null || echo "$alias")"
+description="$(modinfo -F description "$module")"
+
+if grep -q "^$module\>" /etc/restricted-module-load.whitelist; then
+    exec /usr/sbin/modprobe "$@"
+else
+    /usr/bin/logger -t modprobe-restricted "denied loading of module $module (\"$description\") via alias $alias"
+fi
diff --git a/restrict-module-load/restrict-module-load.service b/restrict-module-load/restrict-module-load.service
new file mode 100644
index 0000000..c3c6f3f
--- /dev/null
+++ b/restrict-module-load/restrict-module-load.service
@@ -0,0 +1,6 @@
+[Service]
+
+Type=oneshot
+RemainAfterExit=true
+ExecStart=bash -c "echo /usr/sbin/modprobe-restricted > /proc/sys/kernel/modprobe"
+ExecStop=bash -c "echo /usr/sbin/modprobe > /proc/sys/kernel/modprobe"
diff --git a/restrict-module-load/restrict-module-load.timer b/restrict-module-load/restrict-module-load.timer
new file mode 100644
index 0000000..7ec5796
--- /dev/null
+++ b/restrict-module-load/restrict-module-load.timer
@@ -0,0 +1,7 @@
+[Install]
+
+WantedBy=multi-user.target
+
+[Timer]
+
+OnActiveSec=3min
diff --git a/restrict-module-load/restricted-module-load.whitelist b/restrict-module-load/restricted-module-load.whitelist
new file mode 100644
index 0000000..5e15316
--- /dev/null
+++ b/restrict-module-load/restricted-module-load.whitelist
@@ -0,0 +1,2 @@
+
+af_packet ("Packet socket support (AF_PACKET)") for tcpdump