tcpd obtains the IP address of the connecting client with a system call, and attempts to look up a domain name from that in DNS. If built with the "paranoid" option, tcpd will further try to look up the IP address for the domain name it obtains, and if that IP address does not match the client IP address it will refuse the connection. If no domain name is obtained then the connection will still be allowed; it is only when the client IP does not match the IP obtained by the reverse and forward DNS lookups that TCP wrappers drops the connection. This is intended to prevent spoofing of domain names in reverse DNS to pass TCP wrapper access checks.
If the paranoia check succeeds, then tcpd attempts to match the program name for the service and the IP address/domain name of the client in hosts.allow; if a match is found, the connection is permitted. Then it attempts to match those in hosts.deny; if a match is found, the connection is dropped. If no match is found in either, the connection is permitted.
There are a number of additional options that can be used with each access rule. Here are some that are commonly used:
A full description of the access control syntax for hosts.allow and hosts.deny is in man 5 hosts_access. Options (which must be enabled at compile time in TCP wrappers) are documented in man 5 hosts_options.