linux系统 服务的访问控制列表

       TCPWrappers是RHEL7系统中默认启用的一款流量监控程序，它能够根据来访主机的地址与本机的目标服务程序作出允许与拒绝的操作。换句话说，Linux系统中其实有两个层面的防火墙，

第一种是前面讲到的基于TCP/IP协议的流量过滤工具， 而TCPWrapper服务则是能允许或禁止Linux系统提供服务的防火墙，从而在更高层面保护了Linux系统的安全运行。？？

      TCPWrapper服务的防火墙策略由两个控制列表文件所控制，用户可以编辑允许控制列表文件来放行对服务的请求流量，也可以编辑拒绝控制列表文件来阻止对服务的请求流量。

控制列表文件修改后会立即生效，系统将会先检查允许控制列表文件（/etc/hosts.allow）,如果匹配到相应的允许策略则放行流量；日过没有匹配，则去进一步匹配拒绝控制列表文件（/etc/hosts.deny）,

若找到匹配项则拒绝该流量。如果这两个文件全都没有匹配到，则默认放行流量。（linux就该这么学p169）

在配置TCPWrapper服务时需要遵循两个原则：

a、编写拒绝策略规则时，填写的是服务名称，而非协议名称

b、建议先编写拒绝策略规则，在编写允许策略规则，以便直观第看到相应的效果

下面编写拒绝策略规则文件，禁止访问本机sshd服务的所有流量

1、测试修改前效果

[root@linuxprobe home]# ifconfig | head -n 5  ## 查看当前主句IP
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.13  netmask 255.255.255.0  broadcast 192.168.3.255
        inet6 fe80::20c:29ff:feab:7b00  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ab:7b:00  txqueuelen 1000  (Ethernet)
        RX packets 1469  bytes 136148 (132.9 KiB)
[root@linuxprobe home]# ssh 192.168.3.13  ## 测试远程控制，通过
root@192.168.3.13's password:
Last login: Sat Oct 31 21:51:55 2020 from 192.168.3.4
[root@linuxprobe ~]# exit ## 退出
logout
Connection to 192.168.3.13 closed.

2、 修改拒绝控制列表文件

[root@linuxprobe home]# cat /etc/hosts.deny  ## 查看拒绝控制列表文件
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
[root@linuxprobe home]# echo "sshd:*" >> /etc/hosts.deny  ## 修改拒绝控制列表文件
[root@linuxprobe home]# cat /etc/hosts.deny  ## 查看
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd:*

3、测试效果

[root@linuxprobe home]# ifconfig | head -n 5  ## 查看本机IP
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.13  netmask 255.255.255.0  broadcast 192.168.3.255
        inet6 fe80::20c:29ff:feab:7b00  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ab:7b:00  txqueuelen 1000  (Ethernet)
        RX packets 1712  bytes 157571 (153.8 KiB)
[root@linuxprobe home]# ssh 192.168.3.13  ## 远程测试，失败
ssh_exchange_identification: read: Connection reset by peer

4、修改允许控制访问列表

[root@linuxprobe home]# cat /etc/hosts.allow  ## 查看
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
[root@linuxprobe home]# echo "sshd:192.168.3." >> /etc/hosts.allow  ## 修改
[root@linuxprobe home]# cat /etc/hosts.allow  ## 查看
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.3.

5、测试效果

[root@linuxprobe home]# ifconfig | head -n 5  ## 查看IP
eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.13  netmask 255.255.255.0  broadcast 192.168.3.255
        inet6 fe80::20c:29ff:feab:7b00  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ab:7b:00  txqueuelen 1000  (Ethernet)
        RX packets 1947  bytes 178169 (173.9 KiB)
[root@linuxprobe home]# ssh 192.168.3.13  ## 远程测试
root@192.168.3.13's password:
Last login: Sat Oct 31 22:22:07 2020 from 192.168.3.13
[root@linuxprobe ~]# exit  ## 退出
logout
Connection to 192.168.3.13 closed.