2.6. TCP Wrappers and xinetd
iptables-based firewall filters out unwelcome network packets within the kernel's network stack. For network services that utilize it, TCP Wrappers add an additional layer of protection by defining which hosts are or are not allowed to connect to "wrapped" network services. One such wrapped network service is the
xinetdsuper server. This service is called a super server because it controls connections to a subset of network services and further refines access control.
Figure 2.4. Access Control to Network Services
iptables, see Section 2.8.9, “IPTables”.
2.6.1. TCP Wrappers
/lib64/libwrap.solibrary. In general terms, a TCP-wrapped service is one that has been compiled against the
/etc/hosts.deny) to determine whether or not the client is allowed to connect. In most cases, it then uses the syslog daemon (
syslogd) to write the name of the requesting client and the requested service to
libwrap.solibrary. Such applications include
libwrap.so, type the following command as the root user:
/usr/sbin/sshdis linked to
ldd /usr/sbin/sshd | grep libwraplibwrap.so.0 => /lib/libwrap.so.0 (0x00655000)
220.127.116.11. Advantages of TCP Wrappers
- Transparency to both the client and the wrapped network service — Both the connecting client and the wrapped network service are unaware that TCP Wrappers are in use. Legitimate users are logged and connected to the requested service while connections from banned clients fail.
- Centralized management of multiple protocols — TCP Wrappers operate separately from the network services they protect, allowing many server applications to share a common set of access control configuration files, making for simpler management.