Dual network interface setup

So, I have both wired and wireless available and want certain traffic to flow through specific interfaces.  The wired interface will carry the general traffic and the wireless will carry traffic only for specific private subnets.

Assume that the wireless has a gateway of 10.1.12.1 and I want all 10.0.0.0 traffic to flow thru that interface.  Also suppose I want a large portion of the 192.168.0.0 range to flow thru the same interface.  However, the IP address associated with the wireless interface will change via DHCP whenever it comes online.

The following batch file will setup a route for these two ranges to flow through the IP address associated with the wireless interface but only if the wireless gateway is a specific value.  All other traffic will flow by default through the wired interface.  Because the route tables will route the more specific traffic before the more general, I can have a local wired subnet (/24 CIDR) within either of the two 10.x.x.x/8 or 192.168.x.x/16 CIDR ranges and the general internet traffic will still flow through the wired interface.

@echo off  
 set WANGW=10.1.12.1  
 route print|find "%WANGW%">%temp%\WANIP.txt  
 for /f "tokens=4" %%i in (%temp%\WANIP.txt) do set WANIP=%%i  
 for /f "tokens=3" %%i in (%temp%\WANIP.txt) do set WANGW_FOUND=%%i  
 if %WANGW% == %WANGW_FOUND% (  
      route add 10.0.0.0/8 %WANIP%  
      route add 192.168.0.0/16 %WANIP%  
 )  
 del %temp%\WANIP.txt  
 set WANGW=  
 set WANGW_FOUND=    

The following XML file can be imported as an automated task to run the route add batch file above when the wireless adapter comes online.  Change the highlighted items as appropriate:

 <?xml version="1.0" encoding="UTF-16"?>  
 <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">  
  <RegistrationInfo>  
   <Date>2011-09-14T14:46:16.4794248</Date>  
   <Author>DOMAIN\user</Author>  
   <Description>Wireless Network Adapter connected</Description>  
  </RegistrationInfo>  
  <Triggers>  
   <EventTrigger>  
    <Enabled>true</Enabled>  
    <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Microsoft-Windows-WLAN-AutoConfig/Operational"&gt;&lt;Select Path="Microsoft-Windows-WLAN-AutoConfig/Operational"&gt;*[System[Provider[@Name='Microsoft-Windows-WLAN-AutoConfig'] and EventID=8001]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>  
   </EventTrigger>  
  </Triggers>  
  <Principals>  
   <Principal id="Author">  
    <UserId>DOMAIN\user</UserId>  
    <LogonType>InteractiveToken</LogonType>  
    <RunLevel>HighestAvailable</RunLevel>  
   </Principal>  
  </Principals>  
  <Settings>  
   <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>  
   <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>  
   <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>  
   <AllowHardTerminate>true</AllowHardTerminate>  
   <StartWhenAvailable>false</StartWhenAvailable>  
   <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>  
   <IdleSettings>  
    <StopOnIdleEnd>true</StopOnIdleEnd>  
    <RestartOnIdle>false</RestartOnIdle>  
   </IdleSettings>  
   <AllowStartOnDemand>true</AllowStartOnDemand>  
   <Enabled>true</Enabled>  
   <Hidden>false</Hidden>  
   <RunOnlyIfIdle>false</RunOnlyIfIdle>  
   <WakeToRun>false</WakeToRun>  
   <ExecutionTimeLimit>P3D</ExecutionTimeLimit>  
   <Priority>7</Priority>  
  </Settings>  
  <Actions Context="Author">  
   <Exec>  
    <Command>full_path_to\routeadd_batch</Command>  
   </Exec>  
   <ShowMessage>  
    <Title>Wireless Adapter online</Title>  
    <Body>route added</Body>  
   </ShowMessage>  
  </Actions>  
 </Task>  

(code formatting courtesy of http://codeformatter.blogspot.com)

Remote CMD reset spooler

(thanks to http://www.gameaddict.eu/tag/how-to-fix-a-printer-spooler-error/ for this tip)

Remote CMD reset spooler – you need to have administrative privileges on the remote computer. The script can be used to restart the spooler on remote computer systems.

---

sc \\computername query spooler | find /I “STATE” | find /I “stopped”
if “%ERRORLEVEL%”==”1″ (sc \\computername stop spooler) ELSE GOTO NEXT

REM the Computer Name can be replaced by the computer’s IP address.
REM So the first command is querying the spooler and pipes the information to
REM second command to find the state, which is piping the information to the IF statement
REM the IF statement will make the decision what to do and pass the next execution to display on the screen the next message after @echo

@echo The Spooler is stopped Mapping the Jobs folder to delete the temp files

REM The next line maps a network folder because Command Line doesn’t understand UNC paths
REM Then you need to delete the jobs, which can be deleted easily since we made sure the print Spooler is not started.

net use x: \\computername\C$\windows\system32\spool\printers

REM After mapping the network drive, we are accessing it in the next line.

x:

REM now we are able to execute the deletion of the spooled files with “del /q *.*”.
del /q *.*

REM Un-mapping the network drive “net use /delete x:” Then starting the Print Spooler
net use /delete x:
sc \\computername start spooler

REM Querring the spooler to see if its running. But here the Window might exit.

sc \\computername query spooler | find /I “STATE” | if /I “%STATE%”==”RUNNING” @echo Spooler has been started

Make Ideas - Rocketry

Soda Bottle Rocket — DIY How-to from Make: Projects

Fix for re-imaging Lenovo X61t laptops

Problem:
Re-imaging using Clonezilla and rebooting a Lenovo X61t laptop threw up the error "Signature Failure"

Solution:
Quoting from http://www.ecs.umass.edu/pipermail/umasslug/2008-August/003380.html

However:  I did get the idea from various 
websites that it seemed to be an issue with the MBR, so I started 
playing with options in Clonezilla.  It turns out that if I de-select 
the -g auto and -r options, and select -t1, the system works.  I've just 
confirmed on two of the broken systems, so it looks like it's going to 
be a consistent fix.

  It looks like this is a common issue on the Lenovo laptops, so I'm 
glad to have found a solution.  (Also, I've got six more to image today, 
and possibly more next week...)

That worked.  It appears that -t1 replaces the MBR with the pre-made syslinux MBR.a

Registry Permissions resetting

Ok ... I could have used this recently as we migrated from an samba based domain to an AD domain.  The quickest way to migrate 20+ users was to just add the new domain user to the local admin group and then repoint their Docs and Settings folder to their old folder.

Using this subinacl tool (http://www.winhelponline.com/blog/reset-the-registry-and-the-file-permissions-in-windows-xp) might have made the process both easier and more secure.

Read up on Subinacl at http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

Also check out SecEdit at http://support.microsoft.com/kb/313222/

IPCop SMTP Trap

After an event where a visitor managed to generate enough spam that our mail server was blacklisted, I decided to configure our firewall, IPCop, to prevent a future occurrence.

After a visit to the forums as well as the blog, http://www.subvs.co.uk/smtp_blocking_with_ipcop, I wrote a shell script to effect the desired blocks.

The Setup:

1. Guests are permitted only on the IPCop Blue network.
   
2. We have a local mail server 6xx.1.2.3 attached to our IPCop DMZ (Orange) network
3. Our primary domain MX server is reachable over the VPN at 192.168.y.y or over the internet at 5xx.1.2.3.  
4. Users on our trusted Green network are permitted to send mail to our MX server over the internet or over the VPN.
   
5. Our admin uses one local PC (192.168.x.x) for testing SMTP traffic so that IP is permitted to SMTP outbound anywhere.  

The Approach:

1. Permit any outbound SMTP from GREEN_IPOK1
2. Permit anyone on GREEN to connect to MX server (internet or VPN)
3. Permit local mail server to send outbound SMTP anywhere from ORANGE
4. Log and block all other outbound SMTP requests over the RED interface

The Limits:

1. Guests on the BLUE network can not send email via SMTP.  Period.
2. GREEN users can not send email except thru the MX server.

I chose to create a rc.firewall.smtp shell script file and then call it from within the rc.firewall.local script.  Made it easier to test without messing with the main firewall protections.

Caution:  Make sure that you run the rc.firewall.smtp stop before making any rule changes.  Eliminates a whole lot of cleanup later :)


The File:

#!/bin/sh
# Used to block outbound SMTP traffic
# Edited: AmAdmin 20090903

eval $(/usr/local/bin/readhash /var/ipcop/ppp/settings)
eval $(/usr/local/bin/readhash /var/ipcop/ethernet/settings)

# Local admin PC for SMTP testing
GREEN_OKIP1=192.168.x.x
# Local mail servers (VPN/MX/RELAY)
MAILSRV1=192.168.y.y
MAILSRV2=5xx.1.2.3
MAILSRV3=6xx.1.2.3

allow_smtp() {   
    # allow smtp outbound from networks to trusted mail server ips
    /sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -d $MAILSRV1 --dport 25 -j ACCEPT
    /sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -d $MAILSRV1 --dport 465 -j ACCEPT
    /sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -d $MAILSRV2 --dport 25 -j ACCEPT
    /sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -d $MAILSRV2 --dport 465 -j ACCEPT
    /sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $ORANGE_DEV -s $MAILSRV3 --dport 25 -j ACCEPT
    /sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $ORANGE_DEV -s $MAILSRV3 --dport 465 -j ACCEPT
    # permit smtp outbound from trusted GREEN ip addresses to anywhere
    /sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -s $GREEN_OKIP1 --dport 25 -j ACCEPT
    /sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -s $GREEN_OKIP1 --dport 465 -j ACCEPT
}

log_smtp() {
    # log all stmtp outbound from RED
    /sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -o $RED_DEV --dport 25 -j LOG --log-prefix "SMTP_"
    /sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -o $RED_DEV --dport 465 -j LOG --log-prefix "SMTP-SSL_"
}
   
block_smtp() {
    # block all stmtp outbound from RED
    /sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -o $RED_DEV --dport 25 -j DROP
    /sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -o $RED_DEV --dport 465 -j DROP
}

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
        ACTION=A
        allow_smtp
        log_smtp
        block_smtp
       ;;
  stop)
        ## add your 'stop' rules here
        ACTION=D
        allow_smtp
        log_smtp
        block_smtp
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  status)
        /sbin/iptables -nvL CUSTOMFORWARD
        ;;
  *)
        echo "Usage: $0 {start|stop|reload|status}"
        ;;
esac

Copy path to clipboard - XP64

This is a utility that I immensely enjoyed once I found it. I didn't
know how _much_ I used it until I moved to XP64 and 'lost' that
functionality. What a pain!

However, I finally found a replacement that "just works";
http://stefan.bertels.org/en/clipboardpath

I just installed V1.2 and it worked without even requiring a reboot!
One nice feature is the use of the CTRL key to translate the path to
the full UNC path. That could be very useful as the UNC is common
across all users but the share mapping may be different.

<clapping hands>

Sent from my Verizon Wireless BlackBerry