DNS and multiple VPNs: Using dnsmasq to access multiple dns suffixes

On my Fedora 15 laptop, I'm almost always connected to several VPNs simultaneously. One VPN to my office or to my home (depending on where I am), one to the data center, one to a customer. These connections all have their own DNS server with their own suffix.

To make all dns suffixes working, I created a script that redirects all outgoing DNS traffic to dnsmasq running on localhost, which in turn forwards all requests for .lan to 192.168.15.254 and all requests for .gl to 192.168.1.254.

The script was put in /etc/NetworkManager/dispatcher.d/10-DNS:

if [ -e /var/run/dnsmasq.localhost ]; then
        cat /proc/`cat /var/run/dnsmasq.localhost`/cmdline |grep dnsmasq >/dev/null 2>/dev/null && \
        kill `cat /var/run/dnsmasq.localhost`
fi
 
if [ "$2" == "up" ]; then
        cp /etc/resolv.conf /etc/resolv.conf.dhcp
        echo nameserver 127.0.0.1 >  /etc/resolv.conf
        echo domain $DHCP4_DOMAIN_NAME >> /etc/resolv.conf 
        echo search $DHCP4_DOMAIN_NAME >> /etc/resolv.conf 
        /usr/sbin/dnsmasq -C /dev/null -r /etc/resolv.conf.dhcp --server=/gl/192.168.1.254 \
            --server=/lan/192.168.15.254 --bind-interfaces --listen-address 127.0.0.1 \ 
            --pid-file=/var/run/dnsmasq.localhost
fi

Once I had to fix resolv.conf manually when I connected my laptop to my Samsung Galaxy SII as well. This may mean I need to improve the script some day, but for the time being, it works good enough.

© GeekLabInfo DNS and multiple VPNs: Using dnsmasq to access multiple dns suffixes is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...Loading...

Playing with the sockets: socat and netcat

Connect two netcats to each other

mkfifo backpipe
nc localhost 55545 0backpipe

Telnet with readline and a history:

socat -d -d READLINE,history=$HOME/.http_history \
TCP4:www.domain.org:www,crnl

Talk to your modem in raw mode:

socat - /dev/ttyS0,raw,echo=0,crnl

Simulate tail -f:

socat -u /var/log/messages,seek-end=0,ignoreeof -

Give a random interactive program, such as nslookup, a history:

socat readline,history=.nslookup_hist exec:"nslookup",pty,ctty,setsid,echo=0

Use your modem with a non-persistent history:

socat readline /dev/ttyS0,raw,echo=0,crlf,nonblock

Use your modem with a persistent history:

socat READLINE,history:/tmp/serial.cmds \
  OPEN:/dev/ttyS0,ispeed=9600,ospeed=9600,crnl,raw,sane,echo=false

To dos (as in tofrodos):

socat -u - -,crlf

From dos (as in tofrodos):

socat -u -,cr -

Run sendmail daemon with your favorite network options

Warning: using this wrong may result in becoming an open relay!

socat TCP-LISTEN:25,fork,ip-ttl=4,ip-tos=7,tcp-maxseg=576 EXEC:"/usr/sbin/sendmail -bs",nofork

Send a mail using chat (from ppp package):

socat -d -d system:'/usr/sbin/chat "220 " "HELO loopback" "250 " "MAIL FROM: <root@localhost>" "250 " "RCPT TO: root" "250 " "DATA" "354 " "test'$(echo -e "\r.")'" "250 " "QUIT"',pty,echo=0,cr tcp:localhost:25,crlf,nodelay

Connect remote X :1 to local X :0

socat exec:'ssh root@troas socat unix-l\:/tmp/.X11-unix/X1 -' unix:/tmp/.X11-unix/X0

Note the escaping of the colon in the remote command.

Sending a file - Server sending the file

server$ socat -u FILE:test.dat TCP-LISTEN:9876,reuseaddr
client$ socat -u TCP:127.0.0.1:9876 OPEN:out.dat,creat

Sending a file - Server receiving the file

server$ socat -u TCP-LISTEN:9876,reuseaddr OPEN:out.txt,creat
client$ socat -u FILE:test.txt TCP:127.0.0.1:9876

Be a syslog server:

socat -u UDP4-LISTEN:5140,reuseaddr,fork OPEN:/tmp/syslog.msg,creat,append

I can't figure out how to put a newline after each message...

Send syslog messages to screen:

socat -t0 -T0 -u UDP4-LISTEN:514,reuseaddr,fork -

To get time from time server:

socat TCP:time.nist.gov:13 -

Really sick - use socat as a VPN solution:

socat -d -d  \
    TUN:192.168.99.2/24,up \
    SYSTEM:"ssh root@remote-server socat -d -d  - 'TUN:192.168.99.1/24,up'"

This must be run as a user that can modify tap/tun devices on both sides of the tunnel.

Use a remote modem

On the side with the modem

socat /dev/ttyS0,raw,echo=0 tcp4-listen:3334

On the side where you want the modem transferred

socat PTY,link=$HOME/vmodem0,raw,echo=0 TCP:servername:3334

You can now access remote /dev/ttyS0 through local $HOME/vmodem0

Use a remote modem over SSH

socat PTY,link=$HOME/vmodem0,waitslave \
 EXEC:"ssh root@remote-server socat - /dev/ttyS0"

You can now access remote /dev/ttyS0 through local $HOME/vmodem0. Remove waitslave to keep alive after local client disconnect.

Using OpenSSL over UDP

This uses a chaining method I believe to be only available in socat2.
On the listening side:

socat2 - "OPENSSL-SERVER,cert=client.pem,cafile=server.crt|UDP4-LISTEN:4430,fork"

On the connecting side:

socat2 exec:ls "OPENSSL-CLIENT,cert=server.pem,cafile=client.crt|UDP4:localhost:4430"

OpenSSL Tunnel

First, generate certificates and distribute them to either side:

FILENAME=server
openssl genrsa -out $FILENAME.key 1024 
openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt 
cat $FILENAME.key $FILENAME.crt >$FILENAME.pem 
chmod 600 $FILENAME.key $FILENAME.pem 
 
FILENAME=client
openssl genrsa -out $FILENAME.key 1024 
openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt 
cat $FILENAME.key $FILENAME.crt >$FILENAME.pem 
chmod 600 $FILENAME.key $FILENAME.pem

On the listening side:

socat openssl-listen:4433,reuseaddr,cert=server.pem,cafile=client.crt tcp-connect:localhost

On the connecting side:

socat - openssl-connect:server.domain.org:4433,cert=client.pem,cafile=server.crt

More information:
1 2

© GeekLabInfo Playing with the sockets: socat and netcat is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...Loading...

Change VMWare Data Recovery 2.0 report mail

As I may have mentioned before VMWare Data Recovery is not my favorite backup solution. I'm pleased to report that VDR2.0 is a LOT better than 1.x ever was. Since upgrading, my backups haven't failed once. And it even has a built-in email reporting system.

Unfortunately, this mail system isn't too customizable. Since I'd like my subjects to be clear they need extra attention, I made a little fix. This script is started by socat.

Install socat

Socat handles incoming connections on port 25 for me.
rpm -i http://download.fedora.redhat.com/pub/epel/5/x86_64/socat-1.7.1.3-1.el5.x86_64.rpm

Get my script

cd /usr/local/bin ; wget http://www.geeklab.info/wp-content/uploads/2011/12/smtp-filter.sh
You should put your own mailserver in the script on line 7.

Start it automatically

echo "socat TCP4-LISTEN:25,fork EXEC:/usr/local/bin/smtp-filter.sh &" >> /etc/rc.d/rc.local

Now change your settings

Change the outgoing mailserver to localhost and test it. If everything's ok, you'll get a mail with 1 warning and 2 error-message, as the test-mail doesn't contain the fields that indicate no backups failed.

Security

The iptables firewall does not allow incoming connections to port 25, so you will not become an open relay using this script.

© GeekLabInfo Change VMWare Data Recovery 2.0 report mail is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...Loading...

My Dymo label writing process

This page contains raw notes and/or untested notes. They may be incorrect, parts may be missing or the article may contain parts that are not needed and more. An update will probably follow some day.

To print labels on my Dymo, I'm running a custom built webapp that allows users in the entire network to print. It has a memory, prints KIX-codes (that make it easier for the postal service to process letters) and prints a logo.

In my setup, the server generating the logo and the server printing it are two different machines. But even if they weren't, this method keeps the webserver in its SELinux confinement.

Requirements

We need some tools, install the packages with the following command:
yum install ripmime

Add the printer to CUPS

Add the printer to CUPS, so you can spool jobs to it. I'm not explaining this part.

Generate a label

Using PHP's GD extensions I generate a new image with width=1010 and height=540. Using this high resolution results in good quality prints.

The image is exported as a .png file, named [something-random].dymo.png and transported to the printserver through a special email-address.

Prepare the mailserver

I'm running a Postfix mailserver. This mailserver has a special address that accepts print jobs, extracts the files and prints them.

In /etc/postfix/master.cf, add the following lines:

printer unix  -       n       n       -       -       pipe
  flags=F  user=nobody argv=/etc/postfix/bin/printserver $sender $recipient

Then in /etc/postfix/transport, we put:

printer.geeklab.info    printer:

The domain printer.geeklab.info doesn't necessarily need to exist, as long as you smtp right to this mailserver.

Finally in /etc/postfix/main.cf we enable the transport maps, if that hasn't been done before:

transport_maps = hash:/etc/postfix/transport

Write a script

In master.cf we start the script /etc/postfix/bin/printserver. Add this content to said script:

#!/bin/bash
TMPDIR=/var/spool/mailprinter/$$_${RANDOM}_${RANDOM}
MESSAGE_FILE=${TMPDIR}_the_message
mkdir -p $TMPDIR
cat > $MESSAGE_FILE
ripmime -i $MESSAGE_FILE -d $TMPDIR
for i in ${METAMAIL_TMPDIR}/*.dymo.png; do
lpr -PDymo -o PageSize=w167h288 -o landscape -o page-left=0 -o page-top=0 -o page-right=0 -o page-bottom=26 -o orientation-requested=5 -o scaling=100
done
rm -rf $MESSAGE_FILE $TMPDIR

Manage SELinux settings

The script we just write uses ripmime and lpr and runs as the Postfix pipe user. To allow the Postfix pipe program to use these tools, run postfix_pipe_t in a permissive state:
semanage permissive -a postfix_pipe_t
Always remember to manage SELinux, not disable it.

Ubuntu/Debian

I'm running RedHat-based software on all of my machines. Above information may be useful for Ubuntu/Debian users, but it's not tested and I'm not supporting it.

Servers: RedHat Enterprise Linux/CentOS is more suitable for servers, as there's a lot of professional level support available. I think that's important, because if I say, get a car accident, I want the servers to be managable by another professional.

Desktops/Laptops: RPM packages are pretty exchangable between RedHat-based platforms. That's a good reason to run Fedora on the desktop.
© GeekLabInfo My Dymo label writing process is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...Loading...

SELinux: Running OpenVPN on a different port

To allow OpenVPN to run on a different port than 1194, you'll need to tweak your SELinux permissions:
/usr/sbin/semanage port -a -t openvpn_port_t -p udp 61616

© GeekLabInfo SELinux: Running OpenVPN on a different port is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...Loading...

SGS2: Silence the camera

  • Root your phone
  • Login through ssh, terminal or some other shell
  • Open the file /data/local.prop - this file may or may not exist
  • Add the following line to the file:
    ro.camera.sound.forced=0
  • Reboot the phone

Now, if the phone is silent, the camera will be silent. But if the phone's volume is not turned down, you will still hear the camera. You can silence the camera even more by removing the sound files. Login through some kind of shell and type:

mount /system -o remount,rw
cd /system/media/audio/ui
mv Shutter_01.ogg Shutter_01.ogg-original
mv camera_click.ogg camera_click.ogg-original
mv camera_click_short.ogg camera_click_short.ogg-original
cd /
mount /system -o remount,ro

On my phone, the camera used to do a focus-beep, followed by a shutter-click. I got it to shut up the shutter, but I couldn't disable the focus. So if I really don't want the subject of the photo to hear me, I'll just turn down the volume.

© GeekLabInfo SGS2: Silence the camera is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...Loading...

SGS2: Removing Bol.com app

Samsung has preinstalled several applications on the Samsung Galaxy S2 that cannot be uninstalled, such as the boekenbol application from bol.com. Now this wouldn't be a problem, if only it would stay in the background. But sometimes it doesn't.

In the last few days, a new version of boekenbol was released, and Android keeps nagging to upgrade the app. I don't want to upgrade, I don't want this app to have any permissions on my phone, but I can't remove the app.

My steps to remove boekenbol

First, I upgraded my phone using Samsung Kies to be running the latest Android version currently available. After the upgrade, I was running GINGERBREAD.XWKK2 on a 2.6.35.7-i9100XWKK2-CL726411 kernel.

Then I rooted the phone, using the CF-Root 5.0 version CF-Root-SGS2_XW_XEN_KK2-v5.0-CWM5. That was actually pretty easy to do.

I installed a few tools for easy access and convenience:

SuperUser Grant and manage Superuser rights for your phone. Don't know if this is required, but I do use it.
SSHDroid SSH Server for Android. Actually a dropbear implementation.

After starting SSHDroid, I start the Wi-Fi hotspot and connect my laptop to it. I logged on using ssh -l root. Then I performed the following commands.

mount /system -o remount,rw                      # mount read-write
mkdir /system/app-disabled
 
# move the (cr)app out of sight (i'm not totally removing the file from the disk, just in case)
mv /system/app/Bol.com_version_1.0.3.3.apk /system/app-disabled  
 
mount /system -o remount,ro                      # mount read-only

Other apps I've removed, include: MMM_Smartphone_1.5.1_final.apk MusicHub_10.apk ReadersHub.apk ReadersHub.odex SamsungIM.apk SocialHub.apk SocialHub.odex

My message to Bol.com

Nobody likes to be forced to have software installed that you don't want. I understand you want to promote your webshop, and pre-installing isn't a problem. But make it removable.

Also, mister Maurice Nieuwland, pointing to Samsung for complaints is a very very childish reaction. Sure, Samsung is to blame for installing the crap. But they wouldn't have, if bol.com didn't make them, you've signed the contract.

For forcing your software upon customers and people that aren't even your customers, I'll be boycotting bol.com until this app is removable by non-root users.

© GeekLabInfo SGS2: Removing Bol.com app is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (7 votes, average: 5.00 out of 5)
Loading...Loading...

Firefox configuration settings

Useful Firefox settings. Change them in about:config

security.dialog_enable_delay The delay in ms before you can click the "install plugin" button.
dom.max_script_run_time Maximum script runtime in seconds before Firefox asks if you want to terminate the script.
© GeekLabInfo Firefox configuration settings is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...Loading...

CUPS ERROR: Unable to write raster data to driver!

On my CUPS server, I've connected a Dymo 400 labelwriter. For some reason, while printing labels perfectly, I just can't get the imagetoraster filter to stop "crashing" with the following error:
ERROR: Unable to write raster data to driver!

So I fixed this the dirty way. I downloaded the CUPS Source RPM from CentOS. I installed it to /usr/src/redhat using the command rpm -i cups-1.4.2-35.el6.src.rpm. In the directory SOURCES, I added a file named geeklab.patch containing:

--- cups-1.4.2/filter/imagetoraster.c   2009-06-05 23:38:52.000000000 +0200
+++ cups-1.4.2/filter/imagetoraster.cpatched    2011-10-21 11:18:28.427271405 +0200
@@ -1197,7 +1197,7 @@
                fputs(_("ERROR: Unable to write raster data to driver!\n"),
                      stderr);
                cupsImageClose(img);
-               exit(1);
+               exit(0);
              }
             }
          }
@@ -1293,7 +1293,7 @@
               fputs(_("ERROR: Unable to write raster data to driver!\n"),
                    stderr);
              cupsImageClose(img);
-             exit(1);
+             exit(0);
            }
 
            /*
@@ -1333,7 +1333,7 @@
                fputs(_("ERROR: Unable to write raster data to driver!\n"),
                      stderr);
                cupsImageClose(img);
-               exit(1);
+               exit(0);
              }
             }
          }

Then I added to the spec:
Patch700: geeklab.patch
after the line that starts with Patch100:
and %patch700 -p1 -b .geeklab just after the line that starts with %patch100

Now you can use the regular rpmbuild commands to build packages:
rpmbuild -bs <specname> to build a new SRPM
rpmbuild -ba <specname> to build a new SRPM and binary RPMs
I personally prefer the first, as I mostly use mock to build clean destination RPMs.

© GeekLabInfo CUPS ERROR: Unable to write raster data to driver! is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...Loading...

Turn off Internet Explorer Enhanced Security Configuration in Windows Server 2008

  • Start Server Manager (servermanager.msc)
  • Go to the top node named "Server Manager (SERVERNAME)"
  • On the right side, under server summary>Security information, disable IE Enhanced Security Configuration (ESC) for whoever you like.
© GeekLabInfo Turn off Internet Explorer Enhanced Security Configuration in Windows Server 2008 is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...Loading...