TCP Wrappers can be used to GRANT or DENY access to various services on your machine to the outside network or other machines on the same network. It does this by using simple Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny .

Let consider that remote1 machine tries to access your local machine local1 on ssh port.

When the request from the remote1 is received by the tcp wrapped service (SSH in this case), it takes the following basic steps:
It checks the /etc/hosts.allow file and applies the first rule specified for that service. If it finds a matching rule , it allows the connection. If no rule is found, it moves on to step 2.
It checks the /etc/hosts.deny file and if a matching rule is found, it deny's the connection.

IMPORTANT !!!

- Rules in hosts.allow takes precedence over rules in hosts.deny . Which means if a matching rule is found in hosts.allow file, the remote_mc is allowed access to the service even if there is a matching deny rule in hosts.deny file.
- You can have only one rule per service in hosts.allow and hosts.deny file.
- If there are no matching rules in either of the files or if the files don't exist, then the remote_mc is allowed access to the service.
- Any changes to hosts.allow and hosts.deny file takes immediate effect.

SYNTAX

---

The syntax for both hosts.allow and hosts.deny file :
daemon : client [:option1:option2:...]

Where daemon can be a combination of ssh daemon, ftp daemon, portmap daemon and so on. Basically any service which has support for libwrap.a library compiled into it is a good candidate for utilizing the services of TCP Wrappers.

client is a comma separated list of hostnames, host IP addresses, special patterns or special wildcards which identify the hosts effected by that rule.

options is an optional action like say sending mail to the administrator when this rule is matched, log to a particular file and so on. It can be a colon separated list of actions too.


Wildcards

---

You can use wildcards in the client section of the rule to broadly classify a set of hosts. These are the valid wildcards that can be used.

ALL - Matches everything
LOCAL - Matches any host that does not contain a dot (.) like localhost.
KNOWN - Matches any host where the hostname and host addresses are known or where the user is known.
UNKNOWN - Matches any host where the hostname or host address are unknown or where the user is unknown.
PARANOID - Matches any host where the hostname does not match the host address.


Patterns

---

You can also use patterns in the client section of the rule . Some examples are as follows:

ALL : .xyz.com
Matches all hosts in the xyz.com domain . Note the dot (.) at the beginning.

ALL : 123.12.
Matches all the hosts in the 123.12.0.0 network. Note the dot (.) in the end of the rule.

ALL : 192.168.0.1/255.255.255.0
IP address/Netmask can be used in the rule.

ALL : *.xyz.com
Asterisk * matches entire groups of hostnames or IP addresses.

sshd : /etc/sshd.deny
If the client list begins with a slash (/), it is treated as a filename. In the above rule, TCP wrappers looks up the file sshd.deny for all SSH connections.

sshd : ALL EXCEPT 192.168.0.15
If the above rule is included in the /etc/hosts.deny file, then it will allow ssh connection for only the machine with the IP address 192.168.0.15 and block all other connections. Here EXCEPT is an operator.

IMPORTANT !!!

If you want to restrict use of NFS and NIS then you may include a rule for portmap . Because NFS and NIS depend on portmap for their successful working. In addition, changes to portmap rules may not take effect immediately.

Usage scenarios

---

1.
#FILE /etc/hosts.allow :
sshd : .example.com
#FILE /etc/hosts.deny :
sshd : ALL
Allow access to SSH service from all hosts in example.com domain and deny access to all the others.


2.
#FILE: /etc/hosts.deny
vsftpd : 192.168.1. , .abc.example.com : spawn /bin/echo `/bin/date` access denied >> /var/log/vsftpd.log : deny
Denies FTP access from network 192.168.1. and domain .abc.example.com

spawn and deny are options. Spawn launches a shell command as a child process. In the above rule, spawn logs a message to the vsftpd log file each time the rule matches. deny is optional if you are including this rule in the hosts.deny file.

IMPORTANT !!!

The last line in the files hosts.allow and hosts.deny must be a new line character. Or else the rule will fail

3.
#FILE /etc/hosts.allow
sshd : .xyz.com : severity emerg
Want to log all connections made to SSH with a priority of emergency


4.
in.telnetd : 192.168.5.5 : deny
in.telnetd : 192.168.5.6 : allow
Can use the options allow or deny to allow or restrict on a per client basis in either of the files hosts.allow and hosts.deny


Shell commands

---

spawn - This option launches a shell command as a child process. For example, look at the following rule:

sshd : 192.168.5.5 : spawn /bin/echo `/bin/date` from %h >> /var/log/ssh.log : deny
Each time the rule is satisfied, the current date and the clients hostname %h is appended to the ssh.log file.

twist - This is an option which replaces the request with the specified command. For example, if you want to send to the client trying to connect using ssh to your machine, that they are prohibited from accessing SSH, you can use this option.

sshd : client1.xyz.com : twist /bin/echo "You are prohibited from accessing this service!!" : deny


When using spawn and twist, you can use a set of expressions. They are as follows :

---

%a — The client's IP address.
%A — The server's IP address.
%c — Supplies a variety of client information, such as the username and hostname, or the username and IP address.
%d — The daemon process name.
%h — The client's hostname (or IP address, if the hostname is unavailable).
%H — The server's hostname (or IP address, if the hostname is unavailable).
%n — The client's hostname. If unavailable, unknown is printed. If the client's hostname and host address do not match, paranoid is printed.
%N — The server's hostname. If unavailable, unknown is printed. If the server's hostname and host address do not match, paranoid is printed.
%p — The daemon process ID.
%s — Various types of server information, such as the daemon process and the host or IP address of the server.
%u — The client's username. If unavailable, unknown is printed.

---