A Linux system can utilize the
hosts.allow file to specify which IP addresses, hostnames, or domains are permitted to connect to it. This works specifically for TCP wrapped services. The
hosts.allow file is used in conjunction with
hosts.deny to determine whether a connection attempt gets accepted or denied.
hosts.allow file is just a plain text configuration file with a rather simple syntax. In this tutorial, you will see an example of the
hosts.allow file, as we show you how to format the file for different possible scenarios.
In this tutorial you will learn:
- What does the
- How to edit and format the
|Category||Requirements, Conventions or Software Version Used|
|System||Any Linux distro|
|Other||Privileged access to your Linux system as root or via the
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of
$ – requires given linux commands to be executed as a regular non-privileged user
hosts.allow format and example on Linux
hosts.allowfile contains a list of rules for which hosts or networks are allowed to access the specified services inside of the file. The accepted format is to list one rule per line. Below, we will show various examples for rules you can use in the file.
When a connection is attempted, the
hosts.allowfile is consulted to see whether it will be allowed or not. If it is permitted, then the
hosts.denyfile is consulted afterwards, to see if there is a rule that specifically denies the connection.
- The usual syntax is as follows. Each value is separated by a colon
service : host/network
You can also supply an
option, but this is not as common. We will cover some other niche choices below. More options can be added if necessary, with each one separated by another colon.
service : host/network [: <option>: <option>: ...]
- The following line would allow all traffic to the
ALLis used as a wildcard.
sshd : ALL
- This line would allow connections from all hosts on the
10.network. Connections from all other hosts can then be denied by the
hosts.denyfile. This type of configuration would work as intended since the
allowline precedes our corresponding
denyline in the other file, thus will be triggered first.
sshd : 10.
- Accept connections from a particular IPv4 and IPv6 address:
sshd : 10.10.136.241 sshd : [2a02:2149:88f1:4c00:9991:9daa:b580:aee1]
Notice the IPv6 address must be enclosed in
- Rather than using IPs, you can also specify hostnames to accept or deny connections from.
sshd : some.host
- Accept connections from all hosts using the .linuxconfig.org domain name.
sshd : .linuxconfig.org
- You can also use a wildcard for both the service and the host/network field. This will accept all connections to any service. This would make all other rules (including those in
hosts.deny) irrelevant, as all connections will be accepted by this rule before they have a chance to be denied.
ALL : ALL
- To accept only local connections, the
LOCALwildcard can be used.
sshd : LOCAL
EXCEPToperator can be used to create an exception in an otherwise all encompassing rule. For example, this rule would allow all connections from the .linuxconfig.org domain name, except for one host.
sshd : .linuxconfig.org EXCEPT terminal.linuxconfig.org
In this tutorial, we saw how to format the
hosts.allow with various filtering rules on a Linux system. This can be an effective way to filter traffic for TCP wrapped services, although it has fallen out of common use with the rise of the powerful iptables/nftables firewall built into the Linux kernel.