Re: [PLUG] How do I use a tablet WiFi hotspot for my desktop machine?

[Dick Steffens]

On 07/24/2016 06:03 PM, Russell Senior wrote

> Dick> Done. Is that something that goes away when the laptop is shut
> Dick> down?
>
> If you just type it manually, and shutdown means reboot, then yes.

That's what I thought. I don't expect to shut the laptop down once it's 
set up, but I should probably create a shell script file for it.

> Dick> <...> but I can't reach the Internet from the other
> Dick> laptop connected to the router.
>
> The other laptop is connected to the Buffalo or the mobile hotspot?

The Buffalo router. It's address is 192.168.0.221

> >From your routing laptop (the one you are using to connect the buffalo
> to the hotspot), send me the output of:
>
>ip a

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
group default
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
 link/ether 00:26:2d:fd:c9:73 brd ff:ff:ff:ff:ff:ff
 inet 10.253.0.1/24 brd 10.253.0.255 scope global eth0
valid_lft forever preferred_lft forever
 inet6 fe80::226:2dff:fefd:c973/64 scope link
valid_lft forever preferred_lft forever
3: wlan0:  mtu 1500 qdisc mq state UP 
group default qlen 1000
 link/ether 00:26:c6:ca:75:40 brd ff:ff:ff:ff:ff:ff
 inet 192.168.1.48/24 brd 192.168.1.255 scope global wlan0
valid_lft forever preferred_lft forever
 inet6 fe80::226:c6ff:feca:7540/64 scope link
valid_lft forever preferred_lft forever


>ip r

default via 192.168.1.1 dev wlan0  proto static
10.253.0.0/24 dev eth0  proto kernel  scope link  src 10.253.0.1
169.254.0.0/16 dev eth0  scope link  metric 1000
192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.48  
metric 9

> and
>
>iptables -v -t nat -L

Chain PREROUTING (policy ACCEPT 3300 packets, 227K bytes)
  pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 29 packets, 5435 bytes)
  pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1289 packets, 88566 bytes)
  pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 464 packets, 31746 bytes)
  pkts bytes target prot opt in out source destination
   825 56820 MASQUERADE  all  --  anywlan0   anywhere anywhere

> >From the other devices, including the buffalo (you should be able to ssh
> in), try pinging the various addresses of significance, and see what
> replies.  That should provide some clues.

I tried pinging 8.8.8.8 from the second laptop and from the router 
(using ssh) and got no return. I get a return when pinging from the X200 
laptop.

-- 
Regards,

Dick Steffens

___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] How do I use a tablet WiFi hotspot for my desktop machine?

[Russell Senior]

> "Dick" == Dick Steffens  writes:

Dick> On 07/23/2016 03:56 PM, Russell Senior wrote:
>> You don't need the gateway or dns-nameservers.  The laptop's default
>> gateway will be set by its wlan interface DHCP lease.
>> 
>> So, just:
>> 
>> auto eth0 iface eth0 inet static address 10.253.0.1 netmask
>> 255.255.255.0 network 10.253.0.0
>> 
>> The network part (i.e. 10.253.0) should be different than what your
>> mobile hotspot is providing, and different than what your Buffalo is
>> providing.  Otherwise, it can be anything in the 10.x.y.z range or
>> 192.168.x.y range that doesn't conflict.  The .1 as the host part is
>> traditional for a gateway router (though tastes vary), which your
>> laptop is for the Buffalo.

Dick> I used your example.

Dick> The mobile hotspot gave wlan0 on the X200 an address of
Dick> 192.168.43.206.  I can access the Internet from the X200.

Dick> The Buffalo router serves 192.168.0.xxx.

>> You want to have an iptables rule on the laptop to do the NAT.
>> Assuming the wireless inteface is wlan0, then:
>> 
>> iptables -t nat -I POSTROUTING -o wlan0 -j MASQUERADE
>> 
>> That will handle the routing back to your Buffalo.

Dick> Done. Is that something that goes away when the laptop is shut
Dick> down?

If you just type it manually, and shutdown means reboot, then yes.

>> 
>>> [...] I know I have to install isc-dhcp-server on the X200 before I
>>> can connect the router to it.
>> A simpler alternative is to log in to the Buffalo and give it a
>> static configuration on its WAN interface as well, for example:
>> 
>> ip: 10.253.0.2 netmask: 255.255.255.0 gateway: 10.253.0.1 dns:
>> 8.8.8.8 (or whatever you like)

Dick> I'm trying the simpler solution and have set the router's WAN
Dick> interface to static, with the above details. I did a Save and
Dick> Apply from the LuCI interface on the router.

Dick> Before that the WAN showed that it was not connected. After
Dick> changing it to static I clicked the Connect button. It does show
Dick> as connected, now, but I can't reach the Internet from the other
Dick> laptop connected to the router.

The other laptop is connected to the Buffalo or the mobile hotspot?

>From your routing laptop (the one you are using to connect the buffalo
to the hotspot), send me the output of:

  ip a

  ip r

and

  iptables -v -t nat -L

>From the other devices, including the buffalo (you should be able to ssh
in), try pinging the various addresses of significance, and see what
replies.  That should provide some clues.


-- 
Russell Senior, President
russ...@personaltelco.net
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] How do I use a tablet WiFi hotspot for my desktop machine?

[Dick Steffens]

On 07/23/2016 03:56 PM, Russell Senior wrote:
> You don't need the gateway or dns-nameservers.  The laptop's default
> gateway will be set by its wlan interface DHCP lease.
>
> So, just:
>
> auto eth0
> iface eth0 inet static
>address 10.253.0.1
>netmask 255.255.255.0
>network 10.253.0.0
>
> The network part (i.e. 10.253.0) should be different than what your
> mobile hotspot is providing, and different than what your Buffalo is
> providing.  Otherwise, it can be anything in the 10.x.y.z range or
> 192.168.x.y range that doesn't conflict.  The .1 as the host part is
> traditional for a gateway router (though tastes vary), which your laptop
> is for the Buffalo.

I used your example.

The mobile hotspot gave wlan0 on the X200 an address of 192.168.43.206. 
I can access the Internet from the X200.

The Buffalo router serves 192.168.0.xxx.

> You want to have an iptables rule on the laptop to do the NAT.  Assuming
> the wireless inteface is wlan0, then:
>
>iptables -t nat -I POSTROUTING -o wlan0 -j MASQUERADE
>
> That will handle the routing back to your Buffalo.

Done. Is that something that goes away when the laptop is shut down?

>
>> [...] I know I have to install isc-dhcp-server on the X200 before I
>> can connect the router to it.
> A simpler alternative is to log in to the Buffalo and give it a static
> configuration on its WAN interface as well, for example:
>
>ip: 10.253.0.2
>netmask: 255.255.255.0
>gateway: 10.253.0.1
>dns: 8.8.8.8 (or whatever you like)

I'm trying the simpler solution and have set the router's WAN interface 
to static, with the above details. I did a Save and Apply from the LuCI 
interface on the router.

Before that the WAN showed that it was not connected. After changing it 
to static I clicked the Connect button. It does show as connected, now, 
but I can't reach the Internet from the other laptop connected to the 
router.

I must have missed something. Any ideas what?



-- 
Regards,

Dick Steffens

___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] postfix spf rejection

[Michael Rasmussen]

On Sun, Jul 24, 2016 at 11:51:39AM -0700, wes wrote:
> On Sun, Jul 24, 2016 at 9:52 AM, Michael Rasmussen 
> wrote:
> > 
> > [snipped]
> >
> [blah blah blah...]
> 
> 
> > In short, postfix's SPF checker is the only entity that associates
> > 167.88.112.146 with cave.michaelsnet.us
> >
> > What is, or may be, causing this?
> >
> I don't have a solid answer for you, but I can add that I've seen a few
> similar failures elsewhere recently. Your actual SPF record is as follows:
> 
> $ host -t txt michaelrpdx.com
> michaelrpdx.com TXT "v=spf1 mx a"
> 
> Which instructs postfix to look up the mx record for michaelrpdx.com and
> automatically authorize that host to send emails for that domain. This
> relies on the second DNS lookup (the first being for the SPF record) to
> succeed, which may not always be the case. I would advise adding the IP
> address of the server to your SPF record. This has worked well for me in
> the past in similar situations.
 
And the a at the end asserts anything that matches A or  records is 
acceptable too.

Note:
host -t mx michaelrpdx.com
michaelrpdx.com mail is handled by 10 cave.michaelrpdx.com.

I'll add the specific address records, but considering it's already valid I'm 
not hopeful.

-- 
  Michael Rasmussen, Portland Oregon  
Be Appropriate && Follow Your Curiosity
A prohibitionist is the sort of man one wouldn't care to drink with - even if 
he drank.
~ H. L. Mencken
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] postfix spf rejection

[wes]

On Sun, Jul 24, 2016 at 9:52 AM, Michael Rasmussen 
wrote:

> Investigating an instance of SPF rejection by postfix.
>
> The postfix SPF module receiving mail for @michaelsnet.us is rejecting
> email from @michaelrpdx.com
>
> Relevant log message:
> Jul 24 09:36:58 rumpus postfix/smtpd[3844]: NOQUEUE: reject: RCPT from
> cave.michaelrpdx.com[167.88.112.146]: 550 5.7.1 :
> Recipient address rejected: Message
> rejected due to: SPF fail - not authorized. Please see
> http://www.openspf.net/Why?s=mfrom;id=mich...@michaelrpdx.com;ip=167.88.112.146;r=mich...@michaelsnet.us
> ;
> from= to= proto=ESMTP
> helo=
> Jul 24 09:36:59 rumpus postfix/smtpd[3844]: disconnect from
> cave.michaelrpdx.com[167.88.112.146]
>
>
[blah blah blah...]


> In short, postfix's SPF checker is the only entity that associates
> 167.88.112.146 with cave.michaelsnet.us
>
> Having beat my head against the wall attempting to resolve this I'm pretty
> sure I'm missing something simple.
>
> What is, or may be, causing this?
>
>
I don't have a solid answer for you, but I can add that I've seen a few
similar failures elsewhere recently. Your actual SPF record is as follows:

$ host -t txt michaelrpdx.com
michaelrpdx.com TXT "v=spf1 mx a"

Which instructs postfix to look up the mx record for michaelrpdx.com and
automatically authorize that host to send emails for that domain. This
relies on the second DNS lookup (the first being for the SPF record) to
succeed, which may not always be the case. I would advise adding the IP
address of the server to your SPF record. This has worked well for me in
the past in similar situations.

Hopefully someone else has better ideas. I'll be looking for them also.

-wes
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] A Postfix Question

[Rich Shepard]

On Sun, 24 Jul 2016, Louis Kowolowski wrote:

> You may wish to put your RBL checks into something spam assassin where you
> can include it in the overall score. There are many IPs which get
> blacklisted and there may not be practical ways to get off the list, or
> the owner of the block may not care (ISP?). I found that including them in
> the overall scoring rather than blatantly bouncing meant that I could
> still travel around and send mail through my system more easily.

Louis,

   I have SA up and running. It does do a very good job.

Thanks,

Rich
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

[PLUG] postfix spf rejection

[Michael Rasmussen]

Investigating an instance of SPF rejection by postfix.

The postfix SPF module receiving mail for @michaelsnet.us is rejecting email 
from @michaelrpdx.com

Relevant log message:
Jul 24 09:36:58 rumpus postfix/smtpd[3844]: NOQUEUE: reject: RCPT from 
cave.michaelrpdx.com[167.88.112.146]: 550 5.7.1 : 
Recipient address rejected: Message
rejected due to: SPF fail - not authorized. Please see 
http://www.openspf.net/Why?s=mfrom;id=mich...@michaelrpdx.com;ip=167.88.112.146;r=mich...@michaelsnet.us;
from= to= proto=ESMTP 
helo=
Jul 24 09:36:59 rumpus postfix/smtpd[3844]: disconnect from 
cave.michaelrpdx.com[167.88.112.146]

What openspf.net reports:
a...@michaelsnet.us rejected a message that claimed an envelope sender 
address of mich...@michaelrpdx.com.
mich...@michaelsnet.us received a message from cave.michaelsnet.us 
(167.88.112.146) that claimed an envelope sender address of 
mich...@michaelrpdx.com.

The domain michaelrpdx.com has authorized cave.michaelsnet.us 
(167.88.112.146) to send mail on its behalf, so the message should have been 
accepted. It is impossible for us to say
why it was rejected.


And a bit of DNS validations:

$) host cave.michaelsnet.us
Host cave.michaelsnet.us not found: 3(NXDOMAIN)
$) host 167.88.112.146
146.112.88.167.in-addr.arpa domain name pointer cave.michaelrpdx.com.

In short, postfix's SPF checker is the only entity that associates 
167.88.112.146 with cave.michaelsnet.us

Having beat my head against the wall attempting to resolve this I'm pretty sure 
I'm missing something simple.

What is, or may be, causing this?

-- 
  Michael Rasmussen, Portland Oregon  
Be Appropriate && Follow Your Curiosity
Even a gulag has a certain romance to it.
~ Renee Russell
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] A Postfix Question

[Louis Kowolowski]

You may wish to put your RBL checks into something spam assassin where you can 
include it in the overall score. There are many IPs which get blacklisted and 
there may not be practical ways to get off the list, or the owner of the block 
may not care (ISP?). I found that including them in the overall scoring rather 
than blatantly bouncing meant that I could still travel around and send mail 
through my system more easily.

YMMV


> On Jul 23, 2016, at 2:15 PM, Rich Shepard  wrote:
> 
> On Sat, 23 Jul 2016, Jim Garrison wrote:
> 
>> We'd have to see your main.cf sections relating to blacklisting, and the
>> lookup tables they refer to.
> 
> Jim,
> 
>   Would these be in the # JUNK MAIL CONTROLS section, such as ...?
> 
> smtpd_client_restrictions =
> check_client_access hash:/etc/postfix/internal_network,
> permit_mynetworks,
> check_client_access cidr:/etc/postfix/cidr/spammers.cidr,
> check_client_access hash:/etc/postfix/badaddr,
> check_client_access cidr:/etc/postfix/badip,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client dul.dnsbl.sorbs.net,
> reject_rbl_client sbl-xbl.spamhaus.org,
> reject_rbl_client combined.njabl.org,
> reject_rbl_client psbl.surriel.com,
> reject_rbl_client bl.spamcop.net,
> reject_rhsbl_sender dsn.rfc-ignorant.org,
> check_sender_mx_access cidr:/etc/postfix/bogus_mx,
> check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions,
> check_sender_access hash:/etc/postfix/common_spam_senderdomains,
> permit
> 
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,
> permit_mynetworks,
> reject_unauth_destination,
> check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
> check_recipient_access hash:/etc/postfix/recipients,
> check_helo_access pcre:/etc/postfix/helo_checks,
> reject_non_fqdn_recipient,
> reject_non_fqdn_sender,
> reject_unknown_client_hostname,
> reject_unknown_reverse_client_hostname,
> reject_non_fqdn_hostname,
> reject_invalid_hostname,
> permit
> 
>> Also master.cf if you have any external mail filters configured.
> 
>   Nope. Nothing there.
> 
> Rich
> ___
> PLUG mailing list
> PLUG@lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

--
Louis Kowolowskilou...@cryptomonkeys.org 

Cryptomonkeys:   http://www.cryptomonkeys.com/ 


Making life more interesting for people since 1977



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug