TCP wrappers and iptables

Can someone please explain the relationship between iptables and TCP
wrappers (if any)? From what I can make out both do the same thing allow
specification of what traffic to block and what to accept. I think
iptables is more powerful in that it allows a wider variety of rules to
be constructed. The following are my questions:

On a Redhat Linux 9 machine do services controlled by xinetd check
hosts.allow and hosts.deny before or after iptables? Why are TCP
wrappers needed when iptables exist and are enabled?

TIA
-Ravi.

Ravi <rg27@cse.buffalo.edu> wrote:
[..]
> On a Redhat Linux 9 machine do services controlled by xinetd check
> hosts.allow and hosts.deny before or after iptables? Why are TCP
> wrappers needed when iptables exist and are enabled?

Security is like an onion, the more trays, the better. Iptables and
tcp_wrapper have nothing in common, despite the ability to allow/deny
access to services. Usually a packet will go through iptables before
tcp_wrappers, so if your firewall fails for whatever reason, you still
have tcp_wrapper. If possible I'd use both.

Good luck

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

Michael Heiming <michael+USENET@www.heiming.de> wrote in message news:<3791nb.9f2.ln@news.heiming.de>...

> Security is like an onion, the more trays, the better.

wu-ftp has an option to enter valid tcpips and so does tcp wrappers.
This is confusing-lower levels of security in each service. Isnt tcp
wrappers supposed to eliminate the need to duplicate valid tcpips in
each service?

I think there is a lot of superstition around security. Every basic
element of security should not conflict with eachother. Basic winter
clothing concept is not to just keep adding layers to your winter wear
(how's that analogy? thermal layer= tcp wrappers, shell layer=ip
tables). From my reading the most significant security measures are
eliminating unused services and making a non-root user for services.
How humiliating it would be to learn later that someone brke into you
computer by exploiting a service that you never used!

On Mon, 20 Oct 2003 13:58:55 -0400, Ravi <rg27@cse.buffalo.edu> wrote:
> Can someone please explain the relationship between iptables and TCP
> wrappers (if any)? From what I can make out both do the same thing allow
> specification of what traffic to block and what to accept. I think
> iptables is more powerful in that it allows a wider variety of rules to
> be constructed. The following are my questions:

iptables blocks or allows based on IP/port/protocol/interface, but knows
nothing about hostnames or domains. tcpwrappers can, among other factors,
block or allow based on connecting hostname (although, ipv6 complicates
matters). So unrelated tcpwrappers has its place for finer control of
ports that you do let in through iptables.

For example my iptables allows port 22 in, but hosts.deny includes ALL:
UNKNOWN. So nameless IPs (or broken DNS) would be immediately refused
without even getting a chance to crack me. But my sshd is also configured
to require keys only, so even password crack attempts by known hosts would
be futile.

--
David Efflandt - All spam ignored http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/

neon_bikini <neon_bikini@hotmail.com> wrote:
> Michael Heiming <michael+USENET@www.heiming.de> wrote in message news:<3791nb.9f2.ln@news.heiming.de>...

> > Security is like an onion, the more trays, the better.

> wu-ftp has an option to enter valid tcpips and so does tcp wrappers.
> This is confusing-lower levels of security in each service. Isnt tcp
> wrappers supposed to eliminate the need to duplicate valid tcpips in
> each service?

Well, but then you can compile wu-ftpd like others without tcp_wrapper
support, not all *nix system have it out of the box. There is not only
Linux.

> I think there is a lot of superstition around security. Every basic
> element of security should not conflict with eachother. Basic winter
> clothing concept is not to just keep adding layers to your winter wear
> (how's that analogy? thermal layer= tcp wrappers, shell layer=ip
> tables). From my reading the most significant security measures are

Iptables isn't a shell layer, it's the Linux kernel firewall (2.4.x).

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

efflandt@xnet.com (David Efflandt) wrote in message news:<slrnbp9df1.dm6.efflandt@typhoon.xnet.com>...

> iptables blocks or allows based on IP/port/protocol/interface, but knows
> nothing about hostnames or domains. tcpwrappers can, among other factors,
> block or allow based on connecting hostname (although, ipv6 complicates
> matters). So unrelated tcpwrappers has its place for finer control of
> ports that you do let in through iptables.

So it is the admins decision to use iptables for tcpip and port
security, and additional security of hosts with tcp wrappers. Because,
IPs can be regulated with tcp wrappers, does not mean you have to use
it. Here is where I am again confuesd. If iptables is regulating
ports, and tcp wrappers can regulate services,

HOWTO tell /etc/hosts.allow:
portmap: my.sub.net.number/my.sub.net.mask
mountd: my.sub.net.number/my.sub.net.mask
lockd: my.sub.net.number/my.sub.net.mask
statd: my.sub.net.number/my.sub.net.mask

....which, iptables or wrappers, can be used to give specific xinetd.d
control? And do I need to specify anything in wu-ftpd? There are so
many options, even with a full install.