Recipe 3.10 Restricting Access by Remote Hosts (xinetd with tcpd)

3.10.1 Problem

You want only particular remote hosts to access a TCP service via xinetd , when xinetd was not compiled with libwrap support.

3.10.2 Solution

Set up access control rules in /etc/hosts.allow and/or /etc/hosts.deny. For example, to permit telnet connections only from 192.168.1.100 and hosts in the example.com domain, add to /etc/hosts.allow:

in.telnetd : 192.168.1.100
in.telnetd : *.example.com
in.telnetd : ALL : DENY

Then modify /etc/xinetd.conf or /etc/xinetd.d/servicename to invoke tcpd in place of your service:

Old /etc/xinetd.conf or /etc/xinetd.d/telnet:
service telnet
{
        ...
        flags = ...
        server = /usr/sbin/in.telnetd
        ...
}

New /etc/xinetd.conf or /etc/xinetd.d/telnet:
service telnet
{
        ...
        flags = ... NAMEINARGS
        server = /usr/sbin/tcpd
        server_args = /usr/sbin/in.telnetd
        ...
}

Then reset xinetd so your changes take effect. [Recipe 3.3]

3.10.3 Discussion

This technique is only for the rare case when, for some reason, you don't want to use xinetd's built-in access control [Recipe 3.8] and your xinetd does not have libwrap support compiled in. It mirrors the original inetd method of access control using TCP-wrappers. [Recipe 3.11]

You must include the flag NAMEINARGS, which tells xinetd to look in the server_args line to find the service executable name (in this case, /usr/sbin/in.telnetd).

3.10.4 See Also

xinetd(8), hosts.allow(5), tcpd(8).