服务的访问控制列表

TCP Wrapper是RHEL 6/7系统中默认启用的一款流量监控程序，它能够根据来访主机的地址与本机的目标服务程序做出允许或拒绝的操作在，RHEL 8版本中，它已经被firewalld正式替代

Linux系统中其实有两个层面的防火墙，第一种是前面讲到的基于TCP/IP协议的流量过滤工具，而TCP Wrapper服务则是能允许或禁止Linux系统提供服务的防火墙，从而在更高层面保护了Linux系统的安全运行

TCP Wrapper服务的防火墙策略由两个控制列表文件所控制，用户可以编辑允许控制列表文件来放行对服务的请求流量，也可以编辑拒绝控制列表文件来阻止对服务的请求流量。控制列表文件修改后会立即生效，系统将会先检查允许控制列表文件（/etc/hosts.allow），如果匹配到相应的允许策略则放行流量；如果没有匹配，则会进一步匹配拒绝控制列表文件（/etc/hosts.deny），若找到匹配项则拒绝该流量。如果这两个文件都没有匹配到，则默认放行流量

RHEL8版本中已不再支持TCP Wrappers服务程序

优先级

1. /etc/hosts.allow：允许服务
2. /etc/hosts.deny：拒绝服务

下面编写拒绝策略规则文件，禁止访问本机sshd服务的所有流量（无须修改/etc/hosts.deny文件中原有的注释信息）

[root@xiudaochengxian ~]# vim /etc/hosts.deny 
  1 #
  2 # hosts.deny    This file contains access rules which are     used to
  3 #               deny connections to network services that     either use
  4 #               the tcp_wrappers library or that have been
  5 #               started through a tcp_wrappers-enabled xin    etd.
  6 #
  7 #               The rules in this file can also be set up     in
  8 #               /etc/hosts.allow with a 'deny' option inst    ead.
  9 #
 10 #               See 'man 5 hosts_options' and 'man 5 hosts    _access'
 11 #               for information on rule syntax.
 12 #               See 'man tcpd' for information on tcp_wrap    pers
 13 #
 14 sshd:*
[root@xiudaochengxian ~]# ssh 192.168.1.105
ssh_exchange_identification: read: Connection reset by peer

在允许策略规则文件中添加一条规则，使其放行源自192.168.1.0/24网段，且访问本机sshd服务的所有流量。可以看到，服务器立刻就放行了访问sshd服务的流量，效果非常直观

[root@xiudaochengxian ~]# vim /etc/hosts.allow 
  1 #
  2 # hosts.allow   This file contains access rules which are     used to
  3 #               allow or deny connections to network servi    ces that
  4 #               either use the tcp_wrappers library or tha    t have been
  5 #               started through a tcp_wrappers-enabled xin    etd.
  6 #
  7 #               See 'man 5 hosts_options' and 'man 5 hosts    _access'
  8 #               for information on rule syntax.
  9 #               See 'man tcpd' for information on tcp_wrap    pers
 10 #
 11 sshd:192.168.1.
[root@xiudaochengxian ~]#ssh 192.168.1.105
The authenticity of host '192.168.1.105 (192.168.1.105)' can't be established.
ECDSA key fingerprint is SHA256:fiTPucRYLsdfDkT9bK7g3AeAnFjAqT8LkjNJZZZY4yQ.
ECDSA key fingerprint is MD5:1c:2c:f3:b7:69:89:5a:6c:38:d2:2c:7f:5c:8d:a6:78.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.105' (ECDSA) to the list of known hosts.
root@192.168.1.105's password: 
Last login: Wed Apr  7 09:25:46 2021