/usr/sbin/debian-edu-update-netblock is in debian-edu-config 1.818+deb8u2.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 | #!/bin/sh
#
# Configure network limitations for the host.
#
# Enable or disable network filtering. Call with 'auto' to enable or
# disable based on host netgroup membership. Users that are member in
# the admin and nonetblk file group avoid the block when it is enabled
# for the host.
#
# Allow
# user root to get APT and other services working
# user ntp to synchronize the time
# user nagios to allow passing system minotoring information to
# external collectors.
# user bind to get DNS server working
# user proxy to allow squid to fetch data from external sites
# user Debian-exim to be able to send email out and receive email in
# group nonetlim to allow privileged users to get their work done.
# Make sure iptables is in the PATH
PATH=/sbin:$PATH
export PATH
hostnetgroup=netblock-hosts
# Allow these system users and groups full access by default, if they
# exist on the machine.
privilegedusers="root Debian-exim bind ntp nagios proxy nslcd openldap xrdp www-data avahi dovecot statd daemon"
privilegedgroups="admins nonetblk"
# Allow everything into the loopback network
localnet="127.0.0.0/8"
# And every private network as well, these are (should not normally
# be) routed on the internet, and thus should be local to the site.
privatenet="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
# Allow for more networks to be listed in /etc/default/update-netlimit
internalnet=""
. /lib/lsb/init-functions
if [ -f /etc/default/rcS ]; then
. /etc/default/rcS
fi
if [ -f /etc/debian-edu/netblock ] ; then
. /etc/debian-edu/netblock
fi
start_filtering() {
if [ "$VERBOSE" != no ]; then
log_begin_msg "Activating network block on this host"
fi
modprobe ip_tables
modprobe iptable_filter
filterfile=$(tempfile)
# We are the only filter firewall that should be in operation,
# so we flush all existing rules first. ... add others after
# this - or modify it
echo "*filter" >> $filterfile
#no traffic is not allowed by default
echo ":INPUT ACCEPT" >> $filterfile
echo ":FORWARD DROP" >> $filterfile
echo ":OUTPUT DROP" >> $filterfile
# FIXME This is an alternative drop rule to only drop some
# FIXME ports.
# Drop all packages for a given user
#iptables -I OUTPUT -p tcp --dport 23:120 -m owner \
# --uid-owner your_login_name -j DROP
# Drop all packages for a given group
#iptables -I OUTPUT -p tcp --dport 23:120 -m owner \
# --gid-owner examlimits -j DROP
#note the way these are ordered - the chains are processed the
#way we add them and we want them to be processed as fast as
#possible
# Most traffic is with workstations ( NFS ... and netapps->
# has high priority ) > thin clients > localhost > proxy (
# internet ) > DNS > other daemons > root user ( can wait for
# a few nanoseconds --- this might save a few precious CPU
# cycles ... but don't overdo it ;)
for subnet in $localnet $privatenet $internalnet ; do
echo "-A OUTPUT -d $subnet -j ACCEPT" >> $filterfile
done
for user in $privilegedusers ; do
if getent passwd $user > /dev/null ; then
echo "-A OUTPUT -m owner --uid-owner $user -j ACCEPT" >> $filterfile
fi
done
for group in $privilegedgroups ; do
if getent group $group > /dev/null ; then
echo "-A OUTPUT -m owner --gid-owner $group -j ACCEPT" >> $filterfile
fi
done
echo "COMMIT" >> $filterfile
iptables-restore $filterfile
rm $filterfile
logger -t "debian-edu-update-netblock" "making sure netblock is enabled"
[ "$VERBOSE" != no ] && log_end_msg 0 || return 0
}
stop_filtering() {
if [ "$VERBOSE" != no ]; then
log_begin_msg "Disabling network block on this host"
fi
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
logger -t "debian-edu-update-netblock" "making sure netblock is disabled"
[ "$VERBOSE" != no ] && log_end_msg 0 || return 0
}
auto_filtering() {
hostname=$(uname -n)
if innetgr -h "$hostname" $hostnetgroup ; then
start_filtering
else
stop_filtering
fi
}
case "$1" in
auto)
auto_filtering
;;
start)
start_filtering
;;
stop)
stop_filtering
;;
*)
echo "error: argument '$1' is not handled'"
echo "error: supported arguments: auto start stop"
;;
esac
exit 0
|