Recipe 3.8 Restricting Access by Remote Hosts (xinetd)

3.8.1 Problem

You want only particular remote hosts to access a TCP service via xinetd .

3.8.2 Solution

Use xinetd.conf 's only_from and no_access keywords:

service ftp {         only_from = 192.168.1.107         ... } service smtp {         no_access = haxor.evil.org         ... }

Then reset xinetd so your changes take effect. [Recipe 3.3]

3.8.3 Discussion

This is perhaps the simplest way to specify access control per service. But of course it works only for services launched by xinetd.

only_from and no_access can appear multiple times in a service entry:

{         no_access = haxor.evil.org           deny a particular host         no_access += 128.220.                deny all hosts in a network         ... }

If a connecting host is found in both the only_from and no_access lists, xinetd takes one of the following actions:

• If the host matches entries in both lists, but one match is more specific than the other, the more specific match prevails. For example, 128.220.13.6 is more specific than 128.220.13.

• If the host matches equally specific entries in both lists, xinetd considers this a configuration error and will not start the requested service.

So in this example:

service whatever {         no_access = 128.220.     haxor.evil.org    client.example.com         only_from = 128.220.10.  .evil.org         client.example.com }

connections from 128.220.10.3 are allowed, but those from 128.220.11.2 are denied. Likewise, haxor.evil.org cannot connect, but any other hosts in evil.org can. client.example.com is incorrectly configured, so its connection requests will be refused. Finally, any host matching none of the entries will be denied access.

3.8.4 See Also

xinetd.conf(5).