Redundant Internet Connections Using Linux

posted in: Tech | 0

Seann Herdejurgen

With the advent of high-speed Internet links from Internet Service Providers (ISPs), it’s easier for users to host services on their home computers. But what happens when your ISP connection goes down? An obvious solution is to have a redundant Internet connection from another ISP. To help set up a Linux host with redundant Internet connections, this article covers the following essentials:

1. Configuring the host to properly handle inbound network connections from multiple ISPs

2. Load-balancing outbound network connections

3. Configuring various services to enable redundancy

4. Configuring firewall protection using ipchains or iptables

Figure 1  depicts the home computer network configuration that is referred to throughout this article. The Linux host in  Figure 1  acts as a firewall between two separate connections to the Internet and an internal LAN. In this case, Ethernet interface eth1 uses DSL and Ethernet interface eth2 uses a cable modem. The Linux host load balances outbound network connections across the two ISPs. The ability to load balance between two ISPs is not restricted to high-speed network links. These same techniques can also be used to load balance between two dial-up connections.

The host used for testing the configuration in  Figure 1  was a dual-processor Intel Celeron, 533-MHz computer running Red Hat 6.2 with Linux kernel 2.2.18. It has also been tested under Red Hat 7.1 with Linux kernel 2.4.13. The configuration in this article does not require a dual-processor system, nor does it require a 533-MHz CPU. You can recycle your old Pentium 100 system with 32 MB of RAM to be your firewall. Some examples presented throughout this article are specific to Red Hat, but they can be easily modified to work with other Linux distributions.

The scope of this article precludes providing the step-by-step details on configuring Ethernet cards, compiling Linux kernels, or configuring DNS. Information on performing these tasks is readily available on the Internet and in numerous books.  http://www.linuxdoc.org/  is a good starting point for information.

Kernel Configuration

Linux kernels 2.2 and above support advanced routing techniques that are required to provide load balancing and multiple default routes on a Linux host. The following kernel networking options must be compiled into the kernel to support multiple connections to the Internet:

CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y

To access the advanced routing features of the new kernel, the iproute toolset must be installed. (It is now distributed with Red Hat 7.1) The iproute toolset is available from:

ftp://ftp.inr.ac.ru/ip-routing/

The iproute toolset provides two special commands for accessing advanced routing features —  ip  and  tc. Documentation for the  ip  command is available at:

http://snafu.freedom.org/linux2.2/docs/ip-cref/ip-cref.html

Source IP Routing

By default, TCP/IP packets are routed by examining the destination IP address and checking for a route to the destination network in the routing table. The routing table can be viewed with the  netstat -r command. If a route is found, the packet is sent to that network interface, otherwise the packet is sent to the default gateway. For most systems directly on the Internet, the default gateway is an ISP. In our case, this means that all outbound Internet connections go out of the DSL interface. This is not the desired behavior in an environment with redundant Internet connections. When you add a cable modem to the system, you don’t want your cable modem connections to respond using your DSL connection.

To solve this issue, we create multiple routing tables using the  ip  command. A routing table is selected based on the source IP address of the outbound packet. This is configured using the following commands:

# Setup source IP routing rules for DSL
ip rule add from 63.89.102.157 lookup 1
ip route add 10.0.0.0/24 via 10.0.0.1 table 1
ip route add 0/0 via 63.89.102.1 table 1


# Setup source IP routing rules for cable modem
ip rule add from 65.3.17.133 lookup 2
ip route add 10.0.0.0/24 via 10.0.0.1 table 2
ip route add 0/0 via 65.3.17.1 table 2

If an outbound packet is from source address 63.89.102.157 (DSL), then it looks at Routing Table 1, which has two entries:

> ip route list table 1
10.0.0.0/24 via 10.0.0.1 dev eth0
default via 63.89.102.1 dev eth1

The first line routes local traffic to the internal network, and the second line catches all remaining packets and sends them to the ISP over the DSL interface. Routing Table 2 for the cable modem interface behaves in the same fashion.

Load Balancing

To load balance outbound network connections from the internal network, the  CONFIG_IP_ROUTE_MULTIPATH  kernel option is used, which allows you to have multiple default gateways. It is set up by removing the default gateway from the  /etc/sysconfig/network  file and setting up the default gateway using advanced routing features with the following command:

# ip route add default equalize
     nexthop via 63.89.102.1 dev eth1
     nexthop via 65.3.17.1 dev eth2

To view the advanced routing table, use the following command:

> ip route list
255.255.255.255 dev eth0 scope link
255.255.255.255 dev eth2 scope link
255.255.255.255 dev eth1 scope link
10.0.0.1 dev eth0 scope link
63.89.102.157 dev eth1 scope link
65.3.17.133 dev eth2 scope link
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.1
63.89.102.0/24 dev eth1 proto kernel scope link src 63.89.102.157
65.3.17.0/24 dev eth2 proto kernel scope link src 65.3.17.133
127.0.0.0/8 dev lo scope link
default equalize
        nexthop via 63.89.102.1 dev eth1 weight 1
        nexthop via 65.3.17.1 dev eth2 weight 1

The  CONFIG_IP_ROUTE_MULTIPATH  kernel option causes Linux to “consider all these paths (default routes) to be of equal ‘cost’ and choose one of them in a non-deterministic fashion,” according to  /usr/src/linux/Documentation/Configure.help. The  equalize  option to the  ip route  command causes the Linux kernel to load balance outbound connections based on IP address. For a particular IP address, the kernel picks an interface on which it will transmit outbound packets; the kernel then records this decision as an entry in the routing cache for that IP address. Further connections to that IP address will occur over the same interface until the entry expires in the routing cache. You can view the routing cache with the command  ip route list cache.

Configuring Services

Various services (DNS, SMTP, HTTP, LDAP, SSH, etc.) can be made redundant by implementing round-robin DNS. DNS is made redundant by listing two authoritative NS records, one on each external interface. The TTL (time to live) on each DNS record has been reduced so that remote systems will only cache IP information for 30 minutes. This causes inbound traffic to be distributed across the two IP addresses in a round-robin fashion. For inbound SMTP connections, two MX records of equal weight (10) were added to DNS so that if one interface is down, inbound email will be delivered on the other interface.

You can use the  dig  command (nslookup  on steroids) to verify your DNS configuration as follows:

> dig alphapager.org any

; <<>> DiG 8.2 <<>> alphapager.org any
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 5
;; QUERY SECTION:
;;      alphapager.org, type = ANY, class = IN

;; ANSWER SECTION:
alphapager.org.    30M  IN  A   63.89.102.157
alphapager.org.    30M  IN  A   65.3.17.133
alphapager.org.    30M  IN  NS  ns.alphapager.org.
alphapager.org.    30M  IN  NS  ns.herdejurgen.com.
alphapager.org.    30M  IN  SOA proxy.alphapager.org. \
                                  root.proxy.alphapager.org. (
                         2001031000      ; serial
                         3H              ; refresh
                         1H              ; retry
                         1W              ; expiry
                         30M )           ; minimum

alphapager.org.     30M IN  MX 10 ns.herdejurgen.com.
alphapager.org.     30M IN  MX 10 ns.alphapager.org.

;; ADDITIONAL SECTION:
ns.alphapager.org.  30M IN  A  63.89.102.157
ns.herdejurgen.com. 30M IN  A  65.3.17.133

;; Total query time: 98 msec
;; FROM: pandora to SERVER: default -- 192.168.100.1
;; WHEN: Sat Mar 10 22:15:22 2001
;; MSG SIZE  sent: 32  rcvd: 326

All DNS records (except  ns.alphapager.org  and  ns.herdejurgen.com) now resolve to two IP addresses. For example:

> nslookup seann.herdejurgen.com
Server:  proxy-in.alphapager.org
Address:  10.0.0.1

Name:    seann.herdejurgen.com
Addresses:  65.3.17.133, 63.89.102.157

For Apache, multiple named virtual hosts are supported using the following lines in  httpd.conf:

NameVirtualHost 63.89.102.157:80
NameVirtualHost 65.3.17.133:80

Inbound LDAP and SSH traffic are distributed using round-robin DNS and require no special configuration.

Startup Scripts

A number of startup scripts had to be modified to support our network configuration. These scripts are specific to Red Hat, but can easily be modified for other Linux distributions. The  ip rule  commands need to be executed only once after the system boots. Add the following lines to the start section of the/etc/rc.d/init.d/network  script to accomplish this:

# Add non interface-specific static-rules
if [ -f /etc/sysconfig/static-rules ]; then
       sh /etc/sysconfig/static-rules
fi

The  /etc/sysconfig/static-rules  file contains:

# Setup source IP routing rules
ip rule add from 63.89.102.157 lookup 1
ip rule add from 65.3.17.133 lookup 2


# Setup load balancing
ip route add default equalize 
   nexthop via 63.89.102.1 dev eth1 
   nexthop via 65.3.17.1 dev eth2

ip route  commands must be executed each time you  ifup  the appropriate interface. Add the following lines to  /etc/sysconfig/network-scripts/ifup-routes:

# Add any advanced routes
grep "^advanced " /etc/sysconfig/static-routes |
    while read ignore dev args; do
        if [ "$dev" = "$1" ]; then
                /sbin/ip route add $args
        fi
done

The  /etc/sysconfig/static-routes  file contains:

advanced eth0 10.0.0.0/24 via 10.0.0.1 table 1
advanced eth0 10.0.0.0/24 via 10.0.0.1 table 2
advanced eth1 0/0 via 63.89.102.1 table 1
advanced eth2 0/0 via 65.3.17.1 table 2

Firewalls

If you have a host attached to the Internet, you should run a firewall to block unwanted traffic from accessing your host. Decide which services you will allow to be accessed over the Internet, and deny connections to all other services. Keep in mind that running a firewall does not mean that your system is secure. Any service you allow through the firewall may have its own security holes that hackers can exploit, so it is important that you keep your applications up-to-date with security patches.

Most firewall scripts only support a single external network connection connected to an internal network. To support multiple external network interfaces, some homegrown firewall scripts were written. The first script uses a packet-based firewall called ipchains that comes with Linux 2.2 kernels. The second script uses a packet-based firewall called iptables that comes with Linux 2.4 kernels. (It is possible to run an ipchains firewall under a Linux 2.4 kernel, but you cannot use both ipchains and iptables simultaneously.)

iptables is the successor to ipchains and is more powerful because it supports connection tracking, which gives Linux stateful firewall capabilities. iptables is also extensible, which means that new features (e.g., string matching) can be added to it without modifying the base source code for iptables. See the sidebar for  new iptables features. Both ipchains and iptables split traffic into several different chains of rules that decide whether to accept or reject a packet. iptables uses three tables of chains called filter, nat, and mangle to filter packets. When a packet traverses a chain, each rule is checked in sequence until a match is found.

The three standard chains in ipchains are called INPUT, FORWARD, and OUTPUT. These chains are also present in iptables in the filter table. The INPUT chain analyzes packets just after they arrive on a network interface. The FORWARD chain analyzes masqueraded packets. The OUTPUT chain analyzes packets just before they are sent out of a network interface.  Figure 2  depicts the path that packets follow while traversing the different chains in an ipchains firewall.

In iptables, two additional chains are available in the nat table — PREROUTING and POSTROUTING. These chains are used to perform masquerading, also known as network address translation. All packets traverse these chains when they arrive on a network interface and before they are sent out of a network interface. In iptables, the INPUT and OUTPUT chains handle packets destined for the firewall, and the FORWARD chain handles masqueraded packets only.  Figure 3  depicts the path that packets follow while traversing the different chains in an iptables firewall.

The mangle table in iptables uses the PREROUTING and OUTPUT chains to allow you to modify IP flags on packets, such as TTL (time to live) or TOS (type of service).

A more detailed description of how packets traverse the different chains in ipchains and iptables is available at:

http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-4.html

http://www.linuxdoc.org/LDP/nag2/x-087-2-firewall.future.html

Firewall Kernel Configuration

To set up an ipchains firewall using a Linux 2.2 kernel, you must enable the following features in your kernel configuration file:

CONFIG_IP_FIREWALL=y
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_SYN_COOKIES=y

To set up an iptables firewall using a Linux 2.4 kernel, you must enable the following features in your kernel configuration file:

CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_PSD=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_IPLIMIT=m
CONFIG_IP_NF_MATCH_STRING=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_ROUTE_TOS=y
CONFIG_SYN_COOKIES=y

At the time of this writing, some of these kernel features are not available in the mainstream Linux 2.4 kernel, however they can be added as patches. To add these features to your kernel, you should install Linux kernel 2.4.13 and iptables 1.2.4, which are available from:

http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.13.tar.gz

http://netfilter.filewatcher.org/iptables-1.2.4.tar.bz2

Use these directions to add experimental iptables patches to the kernel:

1. Install Linux 2.4.13 kernel in  /usr/src/linux  and get it running.

2. Extract  iptables-1.2.4.tar.bz2  into its own directory.

3.  iptables-1.2.4# make patch-o-matic

Answer  yes  to the following patches:

string
psd (port scan detection)
iplimit

Not every patch is compatible, so only select patches you intend to use.

4.  iptables-1.2.4# make install

5.  /usr/src/linux# make oldconfig

Answer  m  to the  CONFIG_IP_NF_MATCH  options that you patched into the kernel.

6. Recompile kernel and reboot.

Note that these instructions are specific to Linux kernel 2.4.13 and iptables 1.2.4. It is expected that these experimental features will become part of the mainstream kernel release sometime in the future.

Firewall Scripts

The basic flow of the firewall scripts is to set up the INPUT, FORWARD, and OUTPUT chains in succession. The iptables firewall script also configures the PREROUTING and POSTROUTING chains. Each script contains comments that describe what traffic is being accepted or rejected. Some packets are rejected while others are denied. A REJECT ignores packets and sends ICMP responses back to the senders notifying them that their packets were dropped. A DENY (ipchains) or DROP (iptables) simply drops the packet and does not send a response. This makes your system appear to be non-existent when probed on a particular port. The firewall scripts in this article are designed to drop packets on the INPUT and FORWARD chains so that no response is sent back to remote systems. The scripts will reject packets on the OUTPUT chain so that your local system will receive responses back for invalid outbound packets.

To install the firewall script on your Red Hat 7.1 system, place the script in  /etc/init.d/firewall  and execute the following command:

# chkconfig firewall on

To configure the firewall script for your system, you must edit the following two lines to define your internal and external interfaces:

INT_IFACE="eth0"
EXT_IFACES="eth1 eth2"

The INPUT chain explicitly opens up holes in the firewall for services that are allowed and denies the rest. You must edit the list of services for your particular system. Inbound connections are allowed using the following lines in the ipchains firewall script:

# ACCEPT TCP connections for various
# services found in /etc/services
for service in ftp ssh smtp domain 
               http auth ldap https; do
 ipchains -A INPUT -i $EXT_IFACE -p tcp 
   -d $IP $service -j ACCEPT
done

The firewall script loops through the various services that are allowed on the host. In this case, FTP, SSH, Sendmail, DNS (zone transfers), HTTP, ident, LDAP, and HTTPS. The names and port numbers for these TCP-based protocols can be found in the  /etc/services  file.

The INPUT chain also accepts any responses (returns) to connections originating locally with the following rules in the ipchains firewall script:

# ACCEPT non-SYN TCP packets on
# unprivileged ports (returns)
ipchains -A INPUT -i $EXT_IFACE -p tcp 
  ! -y -d $IP 1024: -j ACCEPT


# ACCEPT all UDP packets on unprivileged ports
ipchains -A INPUT -i $EXT_IFACE -p udp -d $IP 1024:
  -j ACCEPT

ipchains is not a stateful firewall, so this is the only way to accept return TCP traffic using it. iptables greatly improves security by supporting stateful firewalling, also called “connection tracking”, which means that packets are accepted only if they match an active connection that originated locally. This is handled in the iptables firewall script with the following rules:

# ACCEPT return TCP/UDP traffic (stateful firewall)
iptables -t filter -A INPUT -m state 
  --state ESTABLISHED -i $EXT_IFACE 
  -p tcp -d $IP --dport 1024: -j ACCEPT
iptables -t filter -A INPUT -m state 
  --state ESTABLISHED -i $EXT_IFACE 
  -p udp -d $IP --dport 1024: -j ACCEPT

Even though UDP is a stateless protocol, iptables connection tracking maintains a state table and only allows replies on UDP ports to traffic that originated locally.

The iptables firewall script accepts inbound connections and places new connections in the connection-tracking database with the following rule:

# ACCEPT inbound TCP connections for various
# services found in /etc/services
for service in ftp ssh smtp domain 
               http auth ldap https; do
  iptables -t filter INPUT -m state 
    --state NEW,ESTABLISHED -i $EXT_IFACE 
    -p tcp -d $IP --dport $service -j ACCEPT
done

You can view the connection tracking database by viewing the file  /proc/net/ip_conntrack.

The following iptables rule allows incoming active mode FTP connections on the firewall from TCP port 20 only if there is a related FTP in progress:

# ACCEPT active FTP data connections on firewall
iptables -t filter -A INPUT -m state --state RELATED 
  -i $EXT_IFACE -p tcp -d $IP --dport 1024: 
  --sport ftp-data -j ACCEPT

The following rule allows incoming DNS queries to BIND:

# ACCEPT inbound DNS requests
iptables -t filter -A INPUT -i $EXT_IFACE 
  -p udp -d $IP --dport domain -j ACCEPT

The following rules allow incoming NTP traffic from the United States Naval Observatory:

# ACCEPT inbound NTP updates from time servers
# tick.usno.navy.mil & tock.usno.navy.mil
for timehost in 192.5.41.40 192.5.41.41; do
  iptables -t filter -A INPUT -i $EXT_IFACE -p udp 
    -d $IP --dport ntp -s $timehost --sport ntp 
    -j ACCEPT
done

The FORWARD chain simply masquerades connections for systems on the internal network using network addresss translation (NAT). Most protocols work using NAT, while others need a little help by using a special module that re-writes IP addresses. Active mode FTP connections need a helper program to get through the firewall. You can masquerade active FTP connections by loading the  ip_masq_ftp  (ipchains) or  ip_nat_ftp  (iptables) module with the  modprobe  command (unless they are already compiled into the kernel). The remote machine in an active FTP connection tries to connect back to the local machine through the firewall for data transfers. The  ip_masq_ftp  module re-writes packets in your FTP connection so that the internal machine appears to be directly on the Internet. Passive mode FTP avoids this problem by transferring all data over TCP port 21. If you choose to support FTP, remember that it transfers passwords over the network in clear text and is not considered to be secure. A secure alternative to FTP is sftp, which uses secure sockets as its method of communication. sftp is distributed with the OpenSSH client tools.

Other masquerading modules for various applications can be found in the  /lib/modules/’uname -r’/ipv4  (ipchains) or  /lib/modules/’uname -r’/ kernel/net/ipv4/netfilter/  (iptables) directories.

The FORWARD chain uses the following iptables rules to masquerade packets traversing the firewall:

# ACCEPT new outbound traffic (stateful firewall)
iptables -t filter -A FORWARD -m state —state NEW,ESTABLISHED 
  -i $INT_IFACE -s $INT_NET -j ACCEPT

# ACCEPT return traffic (stateful firewall)
iptables -t filter -A FORWARD -m state —state NEW,ESTABLISHED,RELATED \
  -i $EXT_IFACE -s ! $INT_NET -j ACCEPT

# Pass Internet traffic to internal network unmodified
iptables -t nat -A POSTROUTING -o $INT_IFACE -j ACCEPT

# Masquerading outbound connections from internal network
iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE

The OUTPUT chain only accepts network traffic that is going out on the correct interface. The OUTPUT chain also prioritizes certain traffic by setting TOS (Type of Service) flags. For example, TOS flags can be used to prioritize interactive (SSH) traffic over FTP traffic. The different TOS flags are Minimize-Delay, Maximize-Throughput, Maximize-Reliability, and Minimize-Cost.

Many ISPs ignore TOS flags on packets; however, these flags are useful because the  CONFIG_IP_ROUTE_TOS  kernel option prioritizes outbound traffic based on these flags. This means that you can have a high-bandwidth application (such as a large FTP) running with “maximum throughput” while an interactive application (such as SSH) runs with “minimum delay”. Thus, the FTP won’t adversely impact your SSH connection performance.

TOS flags are set in the iptables firewall script in the PREROUTING and OUTPUT chains of the mangle table. The PREROUTING chain prioritizes inbound packets and the OUTPUT chain prioritizes outbound packets. The following rules are used to minimize the delay of SSH packets:

iptables -t mangle -A PREROUTING -j TOS 
  --set-tos Minimize-Delay -p tcp --dport ssh
iptables -t mangle -A OUTPUT -j TOS 
  --set-tos Minimize-Delay -p tcp --sport ssh

The OUTPUT chain also restricts the types of ICMP messages to which the system responds. ICMP messages for  ping  and  traceroute  are allowed, but timestamp messages (used in OS fingerprinting) are denied. ICMP responses are configured using the following lines of the ipchains firewall script:

# ACCEPT various ICMP messages
for message in echo-reply destination-unreachable 
               source-quench redirect echo-request 
               time-exceeded parameter-problem; do
  ipchains -A OUTPUT -p icmp -s 0/0 $message -j ACCEPT
done

The last few commands of the firewall scripts set up IP forwarding (masquerading/NAT), enable TCP SYN cookies (which helps reduce effects of TCP SYN-scan denial of service attacks), ignore various ICMP messages, enable reverse path routing (antispoof), and log martian packets with impossible addresses.

Firewall Maintenance

To check the effectiveness or your firewall rules, you must execute the firewall script with the following command:

# ./firewall status

Inspect the data in the first two columns of the output. Zeroes in these columns indicate that no packet matched that rule. This isn’t necessarily bad — zeroes in aDENY  or  DROP  rule could mean that no one is trying to hack your host using that particular rule. Zeroes in an  ACCEPT  rule means that no traffic is being accepted by that rule, however, traffic might be matching an earlier rule in the chain.

If you need to debug your firewall rules, be sure that every  REJECT  and  DENY  rule logs to the  /var/log/messages  file by including the  -l  option in your ipchains command. The iptables firewall script creates a special chain called  DROPLOG, which logs dropped packets. Remember to check your logs frequently for intruders. A useful tool for monitoring your firewall logs is called fwlogwatch and is available from:

http://cert.uni-stuttgart.de/projects/fwlogwatch/

These firewall scripts only allow returns on non-privileged ports, so you may need to update your SSH configuration to allow non-privileged ports by editing yourssh_config  file and adding the line:

UsePrivilegedPort no

Summary

I have been running in this configuration for about a year and have been pleased with its performance. However, there are a few issues with outbound connections when a network link goes down. If a single network link goes down, you still have redundancy for inbound connections at the application level. Outbound connections originating locally will be sporadic until you  ifdown  the interface of the failed ISP. You may want to update DNS if your outage extends for a long period of time. The problem occurs when you  ifup  the interface, because you then must re-add the routing entries in the secondary table (e.g.,  ip route add 0/0 via 63.89.102.1 table 1). The  ifup-routes  script was modified to add these advanced routes automatically. If the  ifdown  command is run on both interfaces, the default route will need to be added back in the main routing table (e.g.,  ip route add default equalize nexthop via…). Scripts to handle the different failover scenarios are left as an exercise for the reader.

References

I would like to thank Lars Kellogg-Stedman for his initial write-up on symmetric routing under Linux that became the starting point for my research. I would also like to thank Jeff Humes for his assistance in researching and testing this configuration. Much of the other information in this article was obtained from the Internet using the search engine google.com to uncover the following URLs:

fwlogwatch information page —
http://cert.uni-stuttgart.de/projects/fwlogwatch/

ICMP Usage in Scanning, by Ofir Arkin —
http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf

ipchains howto page —
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-4.html

ipcref information page —
http://snafu.freedom.org/linux2.2/docs/ip-cref/ip-cref.html

iprouting information page —
ftp://ftp.inr.ac.ru/ip-routing/

iptables Tutorial 1.1.3, by Oskar Andreasson —
http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html

Linux Guruz iptables information page —
http://www.linuxguruz.org/iptables/

Linux Network Administrators Guide chapter “Netfilter and IP Tables (2.4 Kernels)” —
http://www.linuxdoc.org/LDP/nag2/x-087-2-firewall.future.html

Load-balancing information page —
ftp://sliepen.warande.net/pub/eql/load-balancing.txt

Transparent Proxy with Linux and Squid mini-HOWTO, by Daniel Kiracofe —
http://www.linuxdoc.org/HOWTO/mini/TransparentProxy.html

Seann Herdejurgen has been working with UNIX since 1987 and now architects UNIX solutions as a seniour consultant with Collective Technologies in Dallas, Texas. He holds a Master’s degree in Computer Science from Texas A&M University. He may be reached at:  seann@herdejurgen.com.