Recipe 3.11 Restricting Access by Remote Hosts (inetd)

3.11.1 Problem

You want only particular remote hosts to access a TCP service via inetd.

3.11.2 Solution

Use tcpd, specifying rules in /etc/hosts.allow and/or /etc/hosts.deny. Here's an example of wrapping the Telnet daemon, in.telnetd, to permit connections only from IP address 192.168.1.100 or the example.com domain. Add to /etc/hosts.allow:

in.telnetd : 192.168.1.100
in.telnetd : *.example.com
in.telnetd : ALL : DENY

Then modify the appropriate configuration files to substitute tcpd for your service, and restart inetd.

3.11.3 Discussion

The control files /etc/hosts.allow and /etc/hosts.deny define rules by which remote hosts may access local TCP services. The access control daemon tcpd processes the rules and determines whether or not to launch a given service.

First set up your access control rules in /etc/hosts.allow and/or /etc/hosts.deny. Then modify /etc/inetd.conf to invoke the service through tcpd:

Old /etc/inetd.conf:
telnet  stream  tcp  nowait  root  /usr/sbin/in.telnetd  in.telnetd

New /etc/inetd.conf:
telnet  stream  tcp  nowait  root  /usr/sbin/tcpd  /usr/sbin/in.telnetd

Finally restart inetd so your changes take effect. [Recipe 3.4]

3.11.4 See Also

hosts.allow(5), tcpd(8), inetd.conf(5).