Linux TCP Wrappers

1. Introduction to TCP wrapper

(Wikipedia)TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet Protocolserver s on (unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP Addresses,names and/or Ident query replies, to is used as tokens on which to filter for AC Cess control purposes.

Let's see what Daniel says about this stuff: TCP wrappers is a classic security tool available on the most flavors of Unix including AIX, HP-UX, Linux and so  Laris). Sadly despite being a classic tool it is extremely underutilized and widely misunderstood tool.

Very few sysadmins know that TCP wrappers represents (for tcp-based protocols only) a lightweight alternative to firewall  (which is actually a heavyweight, obtuse and CPU intensive tool). Some capabilities of TCP wrappers cannot be emulated using firewall.

Any service managed with XINETD can filter network access through/etc/host.allow,/etc/host.deny. Of course, the same functionality can be achieved with parameters such as only_from,no_access in the configuration file of xinetd managed services. However, the TCP wrappers can be managed more centrally.

If you want to use TCP wrappers to manage a service, the service must support the functions of the TCP wrappers, using the libwrap.so dynamic link library. For example: see if sshd and httpd can be managed with TCP wrapppers:

　　

So, sshd can be managed with it, but httpd is not.

2. TCP Wrappers configuration file

　　To determine if a client machine was allowed to connect to a service, TCP wrappers reference the following files, which is commonly referred to as hosts Access files:

• /etc/hosts.allow
• /etc/hosts.deny

You can use a single file and include an action (allow or deny as the last field of TCP wrapper configuration file directive (s EE above). Often This is more transparent approach as you see all directives in a single file.

The two documents are judged according to: Host.allow priority, if there is no analysis of IP or network segment with Hosts.deny to judge.

2.1 of these two file formats
List of services: Address List: Options
A. Service list format: If you have multiple services, separate them with commas
B. Address List format:
1. Standard IP Address: If more than one is used, separate

telnetd:192.168.8.2, 192.168.9.22:deny

telnetd,sshd:192.168.4.10, 192.168.6.: Allow
2. Host Name: For example: www.baidu.com,. Example.con Match entire domain

Telnetd,sshd:.mydomain.com:allow (note the number of points before mydomain.com in this example (".") ）。 This is a wildcard character)
3. Use mask: 140.116.34.0/255.255.255.0 to specify the entire network segment

Telnet:140.116.34.0/255.255.255.0:allow

4. Special fields in the file:

All: Refer to all hosts
Local: Refers to localhost
Known: Capable of parsing
UNKNOWN: Unable to parse

All:paranoid, Mydomain:allow
　　　5. The option written in Hosts.allow is implicitly considered to be deny, the third column can not be written, and the same hosts.deny

　　

　　

Linux TCP Wrappers