Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-11-2006, 06:57 AM   #1
LQ Newbie
Registered: Nov 2005
Location: Buckinghamshire, UK
Distribution: Slackware
Posts: 26

Rep: Reputation: 0
Different Security models - confused.

I'm starting to look at securing my slackware box. I've got a basic understanding of host.allow/hosts.deny and I'm reading iptables tutorials (so far they make sense).

What I don't understand is the relationship between these two security systems. Should I be restricting traffic with hosts.(allow|deny) or should I be using iptables or both? What are the implications of using both - is it possible to set up contradictions where traffic is allowed under the hosts files and denied under iptables etc?

Can someone explain this or point me to a web page which compares the two systems?

Many thanks,

Old 10-11-2006, 07:41 AM   #2
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
hosts.allow and hosts.deny are part of tcpwrappers, which is a framework that any application can be hooked into to abstract ip security to it. this way a service listening on a port can do it's own security via an external library wihtout having to reimplement from scratch.

iptables sits within the kernel, not the user land, and will block traffic reaching that service port in the first place. if you block port 22 access in iptables then the netfitler hooks in the kernel will never let that traffic connect to the ssh daemon on port 22. if you do not block it, and instead restrict with tcpwrappers, then ssh recieves the actual data and then refers to hosts.allow etc... and then drops it there.

iptables is your firewall, tcpwrappers is your permissions... somethign like that. additionally many applications are not built with tcpwrappers support so can not benefit from it's functionality whereas iptables and netfilter sit infront of the services so will always see that traffic regardless of what is or isn't sitting behind it.
Old 10-11-2006, 07:50 AM   #3
Registered: Aug 2004
Location: Europe
Posts: 608

Rep: Reputation: 50
I would just look at them as different layers of security. If your requirements are fixed and simple (e.g. only allow connections to FTP from local network), then set up iptables and hosts.* the same way so you have 2 layers of protection. If one of them fails for some reason, you still have the other one to protect you.
Old 10-11-2006, 08:17 AM   #4
LQ Newbie
Registered: Nov 2005
Location: Buckinghamshire, UK
Distribution: Slackware
Posts: 26

Original Poster
Rep: Reputation: 0
So if I'm understanding properly - iptables is a front-line defence and encompasses all net traffic, whereas hosts.* is ignored by non-tcp traffic.

I had a feeling that hosts.* was the 'obsolete' of the two, since it was around in my unix days pre-1990 wheras I'd never heard of iptables so I assumed it was the new improved security feature.

With that in mind I'll focus my attention on iptables.

Thanks for the help,


Last edited by richardh1970; 10-11-2006 at 08:19 AM.


firewall, hostsallow, hostsdeny, iptables, security

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Which laptop models are the best? qscomputing Linux - Laptop and Netbook 2 08-27-2005 11:44 AM
dhcp + pppoe + kppp + security = confused aikidoist72 Linux - Networking 6 02-16-2005 04:45 PM
Paper models software??? nostromo Linux - Software 0 02-11-2005 12:03 PM
Security.....I'm confused? Quivver Linux - Software 6 02-17-2004 06:23 PM
different thread models cybercop12us Programming 2 12-22-2002 10:15 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:27 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration