As per Redhat official document titled “”Replacing TCP Wrappers in RHEL 8” (https://access.redhat.com/solutions/3906701 ), it says:
The TCP Wrappers package has been deprecated in RHEL 7 and therefore it will not be available in RHEL 8 or later RHEL releases.
You won’t be able to see this “/etc/hosts.allow” and “/etc/hosts.deny” files in your RedHat 8 or CentOS 8 environment even creating it won’t have any effect.
If your remember, this is sample how to allow SSH only coming from these sources (e.g. 192.168.20.100/32, 192.168.20.101/32 and 192.168.15.16/29) and deny all
Sample Config: (/etc/hosts.allow)
[root@freelinuxserver ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See ‘man 5 hosts_options’ and ‘man 5 hosts_access’
# for information on rule syntax.
# See ‘man tcpd’ for information on tcp_wrappers
#
sshd: 192.168.20.100 192.168.20.101
sshd: 192.168.15.16/29
Sample Config: (/etc/hosts.deny)
[root@freelinuxserver ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a ‘deny’ option instead.
#
# See ‘man 5 hosts_options’ and ‘man 5 hosts_access’
# for information on rule syntax.
# See ‘man tcpd’ for information on tcp_wrappers
#
sshd: ALL except localhost
Solution: There are few ways to manage incoming traffic based on source, and one way of doing this is using firewalld particularly using zones.
- Verify if “firewalld” package is installed, if not install it.
yum list installed firewalld
Sample Output:
[root@freelinuxserver~]# yum list installed firewalld
Installed Packages
firewalld.noarch 0.8.2-2.el8 @anaconda
1. 1 If not install the package:
Install firewalld:
yum install -y firewalld
Enable the firewall for starting at boot:
systemctl enable firewalld
Restart the service
systemctl restart firewalld
2. Use the following commands to verify the default config and zones.
- List the default zone
firewall-cmd –get-default-zone
Sample Output:
[root@freelinuxserver ~]# firewall-cmd –get-default-zone
public
- List information for all zones
firewall-cmd –list-all-zones
Sample output: (same omitted, highlighted the “public” zone). Notice the services allowed in ssh and sources is blank, meaning accepting all.[root@freelinuxserver~]# firewall-cmd –list-all-zones
…
public (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
- List allowed services:
firewall-cmd –zone=work –list-services
Sample output:
[root@freelinuxserver ~]# firewall-cmd –zone=work –list-services
dhcpv6-client ssh
3. Remove the SSH service from the default zone ( public). Use the –permanent option to make it persistent even during reboot
firewall-cmd –permanent –remove-service=ssh
Sample Output:
[root@freelinuxserver ~]#firewall-cmd –permanent –remove-service=ssh
success
Verify using “firewall-cmd –list-all-zones” command
Sample Output: (Notice under services that the ssh removed)
[root@freelinuxserver~]# firewall-cmd –list-all-zones
…
public (active)
target: default
icmp-block-inversion: no
interfaces: ens3
sources:
services: dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
4. Create the zone, allow the SSH service and the source IPs.
firewall-cmd –permanent –new-zone=SSHZONE
firewall-cmd –permanent –zone=SSHZONE –add-source=[I.P.]
firewall-cmd –permanent –zone=SSHZONE –add-service=ssh
Sample output:
[root@freelinuxserver ~]# firewall-cmd –permanent –new-zone=SSHZONE
success
[root@freelinuxserver ~]# firewall-cmd –permanent –zone=SSHZONE –add-source=192.168.20.100/32
success
[root@freelinuxserver ~]# firewall-cmd –permanent –zone=SSHZONE –add-source=192.168.20.101/32
success
[root@freelinuxserver ~]# firewall-cmd –permanent –zone=SSHZONE –add-source=192.168.15.16/29
success
[root@freelinuxserver ~]# firewall-cmd –permanent –zone=SSHZONE –add-service=ssh
5. Reload the firewall to take effect and make the zone active.
firewall-cmd –reload
Sample Output:
[root@freelinuxserver~]# firewall-cmd –reload
success
6. Verify using “firewall-cmd –list-all-zones” command
[root@freelinuxserver~]# firewall-cmd –list-all-zones
SSHZONE (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 192.168.20.100/32 192.168.20.101/32 192.168.15.16/29
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
7. Test the rule. SSH from the allowed and not allowed IPs.
Optional: You can use this command also to see if the firewall is running
systemctl status firewalld.service