TCP Wrappers is a tool written by Wietse Venema that provides mechanisms for connection logging and access control for many network services. It works with TCP, UDP, and RPC-over-UDP service, but not RPC-over-TCP. The name comes from its most typical use, which is to "wrap" services configured in inetd.conf.
A typical TCP-wrapped service in inetd.conf looks like this:
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd
The final two fields of an inetd.conf are normally used by inetd to specify the program executable, then the arguments (including the argv[0]) to pass to the program. When tcpd is used, it is specified as the program executable, and it uses the final field to figure out which program to run if access control permits the connection.
The configuration files used by tcpd are /etc/hosts.allow and /etc/hosts.deny. Both contain lines of this form:
program: .example.com 10.0.: options
where program is the name of the actual program tcpd will invoke, as shown in its inetd.conf entry. Domain names (possibly with a leading ".", which says to match all subdomains as well) or IP addresses (sometimes written partially with trailing dots to indicate a range, or in IP/netmask notation) are listed, possibly followed by a ':' and additional options. The word "ALL" can be used to match any service name or domain/IP address.
A TCP wrapper hosts.allow line that would provide restricted telnet access corresponding to the inetd.conf line above would look like:
in.telnetd: .ilab.cs.uoregon.edu 128.223.203.: rfc931