Yes, IPTables block the immediate connection to the service, while hosts.deny does the same.
For a good situation, I did the following:
ALL : ALL
SSH <--(I forgot the correct syntax) : DENY EXCEPT 220.127.116.11 18.104.22.168 22.214.171.124
I believe that how I did it. And in my IPTables, port 22 [ssh] was shut down and only open to the IPs: 126.96.36.199 188.8.131.52 184.108.40.206
Do I prefer one? I use both "just-in-case"--They both work effectively, but IPTables seems to be MUCH more flexible because it can also block pings, fin, syn, xmas, smurf & other attacks and probes.
If your looking for a quick and dirty way to learn practical IPtables, take a look at http://iptablesrocks.org/
I hope this helps,
PS- I don't remember the exact syntax I used in hosts.deny (it has been awhile
), so make sure to check out the man pages before putting up the production server.