There are several ways to control access to a service on a Linux server:
1) firewall (netfilter), you use iptables command to administer the rules. firewall work at internet layer by allowing or denying access from/to a specific host which in this case using tcp/ip and tcp/udp port number e.g allowing access to port 80 on a web server. With iptables you can restrict access to any ports / protocols or service.
2) tcpwrapper is another method of allowing or denying access to a specific service which work at application layer. Futhermore, tcpwrappers is implemented in the User space of Linux and can be used only with xinetd based services and works at application layer where as IPTABLES is implemented in the Kernel space of Linux and works in internet layer which of course can be extended to other layers by using various modules.
There are two configuration files involve in this setup:
tcp wrappers is dependent on libwrap.so module
hosts.allow
hosts.deny
Not all program/service can utilize tcpwrapper, only a few.
You use this command to check whether a program/service make use of libwrap.so or not.
[root@localhost Desktop]# ldd $(which sshd) | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fc19ee83000)
This just the fundamental of tcpwrapper and iptables, you need to look into their manuals for more detail.
1) firewall (netfilter), you use iptables command to administer the rules. firewall work at internet layer by allowing or denying access from/to a specific host which in this case using tcp/ip and tcp/udp port number e.g allowing access to port 80 on a web server. With iptables you can restrict access to any ports / protocols or service.
2) tcpwrapper is another method of allowing or denying access to a specific service which work at application layer. Futhermore, tcpwrappers is implemented in the User space of Linux and can be used only with xinetd based services and works at application layer where as IPTABLES is implemented in the Kernel space of Linux and works in internet layer which of course can be extended to other layers by using various modules.
There are two configuration files involve in this setup:
tcp wrappers is dependent on libwrap.so module
hosts.allow
hosts.deny
Not all program/service can utilize tcpwrapper, only a few.
You use this command to check whether a program/service make use of libwrap.so or not.
[root@localhost Desktop]# ldd $(which sshd) | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fc19ee83000)
This just the fundamental of tcpwrapper and iptables, you need to look into their manuals for more detail.
No comments:
Post a Comment