This file is indexed.

/usr/sbin/debian-edu-update-netblock is in debian-edu-config 1.818+deb8u2.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#!/bin/sh
#
# Configure network limitations for the host.
# 
# Enable or disable network filtering.  Call with 'auto' to enable or
# disable based on host netgroup membership.  Users that are member in
# the admin and nonetblk file group avoid the block when it is enabled
# for the host.
#
# Allow
# user root to get APT and other services working
# user ntp to synchronize the time
# user nagios to allow passing system minotoring information to
#   external collectors.
# user bind to get DNS server working
# user proxy to allow squid to fetch data from external sites
# user Debian-exim to be able to send email out and receive email in
# group nonetlim to allow privileged users to get their work done.

# Make sure iptables is in the PATH
PATH=/sbin:$PATH
export PATH

hostnetgroup=netblock-hosts

# Allow these system users and groups full access by default, if they
# exist on the machine.
privilegedusers="root Debian-exim bind ntp nagios proxy nslcd openldap xrdp www-data avahi dovecot statd daemon"
privilegedgroups="admins nonetblk"

# Allow everything into the loopback network
localnet="127.0.0.0/8"

# And every private network as well, these are (should not normally
# be) routed on the internet, and thus should be local to the site.
privatenet="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"

# Allow for more networks to be listed in /etc/default/update-netlimit
internalnet=""

. /lib/lsb/init-functions
if [ -f /etc/default/rcS ]; then
  . /etc/default/rcS
fi

if [ -f /etc/debian-edu/netblock ] ; then
    . /etc/debian-edu/netblock
fi

start_filtering() {
    if [ "$VERBOSE" != no ]; then
	log_begin_msg "Activating network block on this host"
    fi

    modprobe ip_tables
    modprobe iptable_filter

    filterfile=$(tempfile)

    # We are the only filter firewall that should be in operation,
    # so we flush all existing rules first.  ... add others after
    # this - or modify it
    echo "*filter" >> $filterfile

    #no traffic is not allowed by default
    echo ":INPUT ACCEPT" >> $filterfile
    echo ":FORWARD DROP" >> $filterfile
    echo ":OUTPUT DROP" >> $filterfile

    # FIXME This is an alternative drop rule to only drop some
    # FIXME ports.
    # Drop all packages for a given user
    #iptables -I OUTPUT -p tcp --dport 23:120 -m owner \
    #    --uid-owner your_login_name -j DROP

    # Drop all packages for a given group
    #iptables -I OUTPUT -p tcp --dport 23:120 -m owner \
    #    --gid-owner examlimits -j DROP

    #note the way these are ordered - the chains are processed the
    #way we add them and we want them to be processed as fast as
    #possible

    # Most traffic is with workstations ( NFS ...  and netapps->
    # has high priority ) > thin clients > localhost > proxy (
    # internet ) > DNS > other daemons > root user ( can wait for
    # a few nanoseconds --- this might save a few precious CPU
    # cycles ... but don't overdo it ;)

    for subnet in $localnet $privatenet $internalnet ; do
	echo "-A OUTPUT -d $subnet -j ACCEPT" >> $filterfile
    done

    for user in $privilegedusers ; do
	if getent passwd $user > /dev/null ; then
	    echo "-A OUTPUT -m owner --uid-owner $user -j ACCEPT" >> $filterfile
	fi
    done
    for group in $privilegedgroups ; do
	if getent group $group > /dev/null ; then
	    echo "-A OUTPUT -m owner --gid-owner $group -j ACCEPT" >> $filterfile
	fi
    done
    echo "COMMIT" >> $filterfile
    iptables-restore $filterfile
    rm $filterfile
    logger -t "debian-edu-update-netblock" "making sure netblock is enabled"
    [ "$VERBOSE" != no ] && log_end_msg 0 || return 0
}

stop_filtering() {
    if [ "$VERBOSE" != no ]; then
	log_begin_msg "Disabling network block on this host"
    fi
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -F
    logger -t "debian-edu-update-netblock" "making sure netblock is disabled"
    [ "$VERBOSE" != no ] && log_end_msg 0 || return 0
}

auto_filtering() {
    hostname=$(uname -n)
    if innetgr -h "$hostname" $hostnetgroup ; then
	start_filtering
    else
	stop_filtering
    fi
}

case "$1" in
    auto)
	auto_filtering
	;;
    start)
	start_filtering
	;;
    stop)
	stop_filtering
        ;;
    *)
	echo "error: argument '$1' is not handled'"
	echo "error: supported arguments: auto start stop"
	;;
esac

exit 0