[TriLUG] Problems with hosts.deny hosts.allow

Jon Carnes jonc at nc.rr.com
Mon Mar 11 10:53:45 EST 2002 

What you are missing are firewall rules.  Tcpwrappers is not as reliable as
IPChains (or IPTables).  You should use firewall rules for this sort of
restriction.
   ipchains -P input -j DENY
   ipchains -A input -s 192.168.0.1/255.255.255.255 -d
192.168.0.3/255.255.255.255 20:23 -p 6 -j ACCEPT
   ipchains -A input -s 192.168.0.2/255.255.255.255 -d
192.168.0.3/255.255.255.255 20:23 -p 6 -j ACCEPT

That covers FTP, SSH, and Telnet.  You can set VNC to a specific port and
then allow it as well.  Lets say that you use port 5912 for your VNC
connection:

   ipchains -A input -s 192.168.0.1/255.255.255.255 -d
192.168.0.3/255.255.255.255 5912:5912 -p 6 -j ACCEPT
   ipchains -A input -s 192.168.0.2/255.255.255.255 -d
192.168.0.3/255.255.255.255 5912:5912 -p 6 -j ACCEPT
===

If you are simply interested (in an academic way) on the arcane and archaic
use of the host files, then you might try looking at the man pages (man
hosts.allow)
===
  The default policy (no access) is implemented with a trivial deny file:

  /etc/hosts.deny:
     ALL: ALL

  This denies all service to all hosts, unless they are permitted access
  by entries in the allow file.

  The  explicitly  authorized  hosts are listed in the allow file.  For
  example:

  /etc/hosts.allow:
     ALL: LOCAL @some_netgroup
     ALL: .foobar.edu EXCEPT terminalserver.foobar.edu

  The first rule permits access  from  hosts  in  the  local
  domain  (no  `.? in the host name) and from members of the
  some_netgroup netgroup.  The second  rule  permits  access
  from  all hosts in the foobar.edu domain (notice the leading
  dot), with the exception of terminalserver.foobar.edu.
===

Hope this helps - Jon
----- Original Message -----
From: "Vestal, Roy L." <rvestal at rti.org>
To: "'Trilug-Triangle Linux Users Group'" <trilug at trilug.org>
Sent: Monday, March 11, 2002 9:59 AM
Subject: [TriLUG] Problems with hosts.deny hosts.allow


> What is the syntax for hosts.allow?
>
> Here's my problem. "The names (and IP's) have been changed to protect the
> identity of the innocent"
>
> Machine A: laptop - rlvlaptop 192.168.0.1
> Machine B: desktop1 - rlvdesk1 192.168.0.2
> Machine C: desktop2 - rlvdesk2 192.168.0.3
>
> What I want to do is to set it up so that A and B can telnet, FTP, SSH,
and
> VNC to C.  If I remove "all:all" from hosts.deny, then they can. If I add
> "all:all" then they cannot. I've added "192.168.0.1" and "192.168.0.2" to
> machine C's hosts.allow, but I still cannot connect ("connection closed by
> foreign host" error).
>
> What am I missing? Also, I eventually want the network 192.168.x.x to be
> able to connect as well. How do I add this to the hosts.allow?
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

More information about the TriLUG mailing list