TCP wrappers are one of Linux’s most useful built-in features.
Instead of using a complex set of firewall rules, tcpwrappers provides an easy method of restricting access to certain daemons using ip addresses, host names, and ranges. While I wouldn’t reccommend on relying soley on them, they are a great tool for workstations and other machines behind a firewall.
hosts.deny is checked first; then hosts.allow. By default, if a program is not listed in either it is granted access to everyone.
As you can see, you have several different ways to give (or prevent) access.
Generally any program you see running as rpc.program will be supported via tcpwrappers (use program, not rpc.program in hosts.*). Anything running from inetd.conf will also be supported.
Stand-alone services (ignoring SSH/FTP) will generally not work with this, and rely on the program denying access or iptables.
Even if you use iptables, have some service: ALL lines in /etc/hosts.deny can be useful if you ever have problems with iptables