CentOS - Aug 2018 - systemd equivalent of xinetd 'only_from' and 'banner_fail' attributes

I'm attempting to port an existing xinetd service from CentOS 6 to 
something equivalent with systemd for CentOS 7

The existing xinetd config uses the attributes 'only_from' to limit 
connections from a limited set of remote hosts and 'banner_fail' to 
print a suitable error message when access is denied

However, I can't find suitable 'equivalents' with systemd
socket/service
files on CentOS 7

It appears later versions of systemd supports the option IPAddressAllow= 
(which is what I think I need ?)

Does anyone know how to limit the remote hosts that can connect to a 
port with CentOS 7's systemd ?

Also, how to implement the equivalent of 'banner_fail' ? (not absolutely
required, but nice to have)

Thanks

James Pearson

James Pearson wrote:
> 
> I'm attempting to port an existing xinetd service from CentOS 6 to
> something equivalent with systemd for CentOS 7
> 
> The existing xinetd config uses the attributes 'only_from' to limit
> connections from a limited set of remote hosts and 'banner_fail' to
> print a suitable error message when access is denied
> 
> However, I can't find suitable 'equivalents' with systemd
socket/service
> files on CentOS 7
> 
> It appears later versions of systemd supports the option IPAddressAllow>
(which is what I think I need ?)
> 
> Does anyone know how to limit the remote hosts that can connect to a
> port with CentOS 7's systemd ?
> 
> Also, how to implement the equivalent of 'banner_fail' ? (not
absolutely
> required, but nice to have)
I managed to do what is needed by creating a simple ExecStartPre script 
that checks if the $REMOTE_ADDR env var is in a list of my 'only_from' 
IP addresses - and exits with zero if it is or exits with non-zero if not

The non-zero status from the ExecStartPre script causes the whole 
service instance to fail

The ExecStartPre script also writes my 'banner_fail' message to stdout 
when it fails - which is what I want

James Pearson

On Wed, 8 Aug 2018 12:59:09 +0000
James Pearson <james-p at moving-picture.com> wrote:
> James Pearson wrote:
> > 
> > I'm attempting to port an existing xinetd service from CentOS 6 to
> > something equivalent with systemd for CentOS 7
> > 
> > The existing xinetd config uses the attributes 'only_from' to
limit
> > connections from a limited set of remote hosts and
'banner_fail' to
> > print a suitable error message when access is denied
> > 
> > However, I can't find suitable 'equivalents' with systemd
> > socket/service files on CentOS 7
> > 
> > It appears later versions of systemd supports the option
> > IPAddressAllow= (which is what I think I need ?)
> > 
> > Does anyone know how to limit the remote hosts that can connect to a
> > port with CentOS 7's systemd ?
> > 
> > Also, how to implement the equivalent of 'banner_fail' ? (not
> > absolutely required, but nice to have)  
> 
> I managed to do what is needed by creating a simple ExecStartPre
> script that checks if the $REMOTE_ADDR env var is in a list of my
> 'only_from' IP addresses - and exits with zero if it is or exits
with
> non-zero if not
> 
> The non-zero status from the ExecStartPre script causes the whole 
> service instance to fail
> 
> The ExecStartPre script also writes my 'banner_fail' message to
> stdout when it fails - which is what I want
Thanks for taking time to tell us about the solution.

/Peter