Firewalls

Firewalls are mainly used as a means to protect an organization's internal network from those on the outside (internet). It is used to keep outsiders from gaining information to secrets or from doing damage to internal computer systems. Firewalls are also used to limit the access of individuals on the internal network to services on the internet along with keeping track of what is done through the firewall. Please note the difference between firewalls and routers as described in the second paragraph in the IP Masquerading section.

Types of Firewalls

1.     Packet Filtering - Blocks selected network packets.

2.     Circuit Level Relay - SOCKS is an example of this type of firewall. This type of proxy is not aware of applications but just cross links your connects to another outside connection. It can log activity, but not as detailed as an application proxy. It only works with TCP connections, and doesn't provide for user authentication.

3.     Application Proxy Gateway - The users connect to the outside using the proxy. The proxy gets the information and returns it to the user. The proxy can record everything that is done. This type of proxy may require a user login to use it. Rules may be set to allow some functions of an application to be done and other functions denied. The "get" function may be allowed in the FTP application, but the "put" function may not.

Proxy Servers can be used to perform the following functions.

●    Control outbound connections and data.

●    Monitor outbound connections and data.

●    Cache requested data which can increase system bandwidth performance and decrease the time it takes for other users to read the same data.

Application proxy servers can perform the following additional functions:

●    Provide for user authentication.

●    Allow and deny application specific functions.

●    Apply stronger authentication mechanisms to some applications.

Packet Filtering Firewalls

In a packet filtering firewall, data is forwarded based on a set of firewall rules. This firewall works at the network level. Packets are filtered by type, source address, destination address, and port information. These rules are similar to the routing rules explained in an earlier section and may be thought of as a set of instructions similar to a case statement or if statement. This type of firewall is fast, but cannot allow access to a particular user since there is no way to identify the user except by using the IP address of the user's computer, which may be an unreliable method. Also the user does not need to configure any software to use a packet filtering firewall such as setting a web browser to use a proxy for access to the web. The user may be unaware of the firewall. This means the firewall is transparent to the client.

Circuit Level Relay Firewall

A circuit level relay firewall is also transparent to the client. It listens on a port such as port 80 for http requests and redirect the request to a proxy server running on the machine. Basically, the redirect function is set up using ipchains then the proxy will filter the package at the port that received the redirect.

Configuring a Proxy Server

The following packages are available in Linux:

●    Ipchains soon to be replaced by netfilter (Packet filtering supported by the Linux kernel). It comes with Linux and is used to modify the kernel packet routing tables.

●    SOCKS - Circuit Switching firewall. Normally doesn't come with Linux, but is free.

●    Squid - A circuit switching proxy. Normally comes with Linux.

●    Juniper Firewall Toolkit - A firewall toolkit product used to build a firewall. It uses transparent filtering, and is circuit switching. It is available as open source.

●    The TIS Firewall Toolkit (FWTK). A toolkit that comes with application level proxies. The applications include Telnet, Rlogin, SMTP mail, FTP, http, and X windows. it can also perform as a transparent proxy for other services.

Ipchains and Linux Packet filtering

For complete information on the use of IP chains and setting up a firewall, see the following Linux how-tos:

●    IPCHAINS-HOWTO

●    Firewall-HOWTO

●    IP-Masquerade-HOWTO

Some of the information in this section is based on these how-tos. This section summarizes and puts in simple steps some of the items you will be required to perform to set up a firewall. It is not meant as a replacement for the Linux how to documents, but a complement to them by giving an overview of what must be done. You may access the howtos from one of the websites listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies if these howtos.

      The administration of data packet management is controlled by the kernel. Therefore to provide support for things like IP masquerading, packet forwarding, and port redirects, the support must be compiled into the kernel. The kernel contains a series of tables that each contain 0 or more rules. Each table is called a chain. A chain is a sequence of rules. Each rule contains two items.

1.     Characteristics - Characteristics such as source address, destination address, protocol type (UDP, TCP, ICMP), and port numbers.

2.     Instructions - Instructions are carried out if the rule characteristics match the data packet.

The kernel filters each data packet for a specific chain. For instance when a data packet is received, the "input" chain rules are checked to determine the acceptance policy for the data packet. The rules are checked starting with the first rule (rule 1). If the rule characteristics match the data packet, the associated rule instruction is carried out. If they don't match, the next rule is checked. The rules are sequentially checked, and if the end of the chain is reached, the default policy for the chain is returned.

Chains are specified by name. There are three chains that are available and can't be deleted. They are:

1.     Input - Regulates acceptance of incoming data packets.

2.     Forward - Defines permissions to forward packets that have another host as a destination.

3.     Output - Permissions for sending packets.

Each rule has a branch name or policy. Policies are listed below:

●    ACCEPT - Accept the data packet.

●    REJECT - Drop and the packet but send a ICMP message indicating the packet was refused.

●    DENY - Drop and ignore the packet.

●    REDIRECT - Redirect to a local socket with input rules only even if the packet is for a remote host. This applies to TCP or UDP packets.

●    MASQ - Sets up IP masquerading. Works on TCP or UDP packets.

●    RETURN - The next rule in the previous calling chain is examined.

You can create more chains then add rules to them. The commands used to modify chains are as follows:

●    -N Create a new chain

●    -X Delete an empty chain

●    -L List the rules in the chain

●    -P Change the policy for a chain

●    -F Flush=Delete all the rules in a chain

●    -Z Zero the packet and byte counters in all chains

Commands to manipulate rules inside the chain are:

●    -A Append a new rule to a chain.

●    -I Insert a new rule at some position in a chain.

●    -R Replace a rule at some position in a chain.

●    -D Delete a rule at some position in a chain.

●    Options for masquerading:

❍    -M with -L to list the currently masqueraded connection.

❍    -M with -S to set the masquerading timeout values.

IPchains Options for setting rule specifications:

●    -s Source

●    -d Destination

●    -p Protocol=tcp, upd, icmp, all or a name from /etc/protocols

●    -j Jump target, Specifies the target of the rule. The target can be a user defined chain, but not the one this rule is in.

●    -i Interface=Name of the interface the packet is received on or the interface where the packet will be sent

●    -t Mask used to modify the type of service (TOS) field in the IP header. This option is followed by two values, the first one is and'ed with the TOS field, and the second is exclusive or'ed. The masks are eight bit hexadecimal values. An example of use is "ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10" These bits are used to set priority. See the section on IP message formats.

●    -f Fragment

When making changes to firewall rules, it is a good idea to deny all packages prior to making changes with the following three commands:

These commands inserts a rule at location 1 that denies all packages for input, output, or forwarding. This is done so no unauthorized packets are not let through while doing the changes. When your changes have been completed, you need to remove the rules at position 1 with the following commands:

Examples of the use of ipchains to allow various services

Create a new chain:

ipchains -N chainame

The option "-N" creates the chain.

Add the chain to the input chain:

ipchains -A input -j chainame

Allow connections to outside http servers from inside our network:

ipchains -A chainame -s 10.1.0.0/16 1024: -d 0.0.0.0/0 www -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.0.0/16 1024:" specifies any traffic on network 10.1.0.0 at port 1024 or above. The "-d 0.0.0.0/0 www" specifies any destination for www service (in the /etc/services file) and the "-j ACCEPT" sets the rule to accept the traffic.

Allow connections from the internet to connect with your http server:

ipchains -A chainame -s 0.0.0.0/0 www -d 10.1.1.36 1024: -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 0.0.0.0/0 www" specifies traffic from any source for www service. The "-d 10.1.1.36 1024:" specifies the http server at IP address 10.1.1.36 at ports above 1024 and the "-j ACCEPT" sets the rule to accept the traffic.

Allow DNS to go through the firewall:

ipchains -A chainame -p UDP -s 0/0 dns -d 10.1.0.0/16 -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-p UDP" specifies UDP protocol. The "-s 0/0 dns" specifies any dns traffic from any location. The "-d 10.1.0.0/16" specifies our network and the "-j ACCEPT" sets the rule to accept the traffic. This allows DNS queries from computers inside our network to be received.

Allow e-mail to go from our internal mail server to mailservers outside the network.

ipchains -A chainame -s 10.1.1.24 -d 0/0 smtp -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.1.24" specifies any traffic from 10.1.1.24 IP address. The "-d 0/0 smtp" specifies any smtp type of service going anywhere and the "-j ACCEPT" sets the rule to accept the traffic.

Allow e-mail to come from any location to our mail server:

ipchains -A chainame -s 0/0 smtp -d 10.1.1.24 smtp -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 0/0 smtp" specifies mail traffic from anywhere. The "-d 10.1.1.24 smtp" specifies mail traffic going to our mail server and the "-j ACCEPT" sets the rule to accept the traffic.

Perform a HTTP port redirect for a transparent proxy server:

ipchains -A input -p tcp -s 10.1.0.0/16 -d 0/0 80 -j REDIRECT 8080

The "-A input" adds a rule to the input chain. The "-p tcp" specifies the protocol TCP. The "-s 10.1.0.0/16" specifies the source as a network with netmask 255.255.0.0. The "-d 0/0" specifies a destination of anywhere. The number 80 is the HTTP port number, and the command "-j REDIRECT 8080" redirects the traffic to port 8080.

Give telnet transmissions a higher priority

ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10"

The bits at the end of the line specified in hexadecimal format are used to set the priority of the IP message on the network. The first value is and'ed with the TOS field in the IP message header, and the second value is exclusive or'ed. See the section on IP message formats for more information.

IP Masquerading

IP masquerading is a form of network address translation (NAT) which allows internal computers with no known address outside their network, to communicate to the outside. It allows one machine to act on behalf of other machines. It's similar to someone buying stocks through a broker (without considering the monetary transaction). The person buying stocks, tells the broker to buy the stocks, the broker gets the stocks and passes them to the person who made the purchase. The broker acts on behalf of the stock purchaser as though he was the one buying the stock. No one who sold the stock knew or cared about whether the broker was buying for himself or someone else.

Please DO NOT confuse routers with firewalls and the performance of IP masquerading. The commands that allow IP masquerading are a simple form of a firewall, however routing is a completely different function, as described previously. Setting a computer up to act as a router is completely different than setting up a computer to act as a firewall. Although the two functions are similar in that the router or firewall will act as a communication mechanism between two networks or subnets, the similarity ends there. A computer can be either a router or a firewall, but not both. If you set up a computer to act as both a router and a firewall, you have defeated the purpose of your firewall!

If you refer to the diagram below, the machines on network 192.168.2.x will obtain services through gateway B using IP masquerading, when gateway B is setup properly. What basically happens when IP masquerading is set up on gateway B is described in the following example. If machine S6 tries to ping S2, its ping packages will be wrapped in a package for its default gateway, gateway B, because S6 knows by its netmask that S2 in on another network. When gateway B receives the packages from S6, it converts them to ping packages as though they were sent from itself and sends them to S2. As far as S2 can tell, gateway B has pinged it. S2 receives the packages and responds to gateway B. Gateway B then converts the packages to be addressed to S6 and sends them. This is why it is called IP masquerading, since gateway B masquerades for machines S4, S5, and S6. Machines S1 through S3 and gateway A cannot initiate any communication with S4 through S6. In fact they have no way to know that those machines even exist!

 

IP Masquerading

IP masquerading allows internal machines that don't have an officially assigned IP addresses to communicate to other networks and especially the internet. In Linux, IP masquerading support is provided by the kernel. To get it to work you must do essentially three things:

1. Be sure the kernel has support for IP masquerading. 

2. Be sure modules needed for support are loaded into the kernel. 

3. Set up the firewall rules. 

For complete information on the setup of IP masquerading, see the following Linux how-tos:

⦁ IPCHAINS-HOWTO 

⦁ Firewall-HOWTO 

⦁ IP-Masquerade-HOWTO 

Some of the information in this section is based on these how-tos. This section summarizes and puts in simple steps some of the items you will be required to perform to set up IP masquerading. It is not a replacement for the Linux how to documents, but a complement to them by giving an overview of what must be done. You may access the howtos from one of the websites listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies if these howtos.

To set up IP masquerading in Linux you must first be sure your kernel supports IP masquerading with the following options set (This is for a 2.2.x kernel or higher):

Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]- YES Enable loadable module support (CONFIG_MODULES) [Y/n/?] - YES

Networking support (CONFIG_NET) [Y/n/?] - YES Packet socket (CONFIG_PACKET) [Y/m/n/?] - YES

Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?] - YES Routing messages (CONFIG_RTNETLINK) [Y/n/?] - NO Network firewalls (CONFIG_FIREWALL) [Y/n/?] - YES TCP/IP networking (CONFIG_INET) - YES

IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?] - NO

IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) [Y/n/?] - YES IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] - YES

IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK) [Y/n/?] - YES

IP: always defragment (required for masquerading) (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?] - YES IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?] - YES

IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?] - YES

IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD) [Y/n/?] - YES

IP: ipautofw masquerade support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [Y/n/?] - NO IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/n/?] - YES

IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW) [Y/m/n/?] - NO IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?] - YES

IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?] - NO

IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) [Y/n/?] - YES Network device support (CONFIG_NETDEVICES) [Y/n/?] - YES

Dummy net driver support (CONFIG_DUMMY) [M/n/y/?] - YES /proc filesystem support (CONFIG_PROC_FS) [Y/n/?] - YES

These are the kernel options you need for IP Masquerade. You will need to select other options for your specific hardware and network setup. Read the IP masquerade and kernel howtos for more information. You may also want the section about how to compile the Linux kernel on the Linux User's Guide in the Linux section of this documentation.

IP Masquerading

Create the following text and place it in a file "/etc/rc.d/rc.firewall". This will load your needed modules into your kernel and set up your basic firewall rules. If you copy the file from this page, be sure to remove carriage returns when you get it into Linux or it may not work properly.

⦁ rc.firewall - Initial SIMPLE IP Masquerade setup for 2.0.x kernels using IPFWADM 

⦁

⦁ Load all required IP MASQ modules 

#

⦁ NOTE: Only load the IP MASQ modules you need. All current available IP MASQ modules 

⦁ are shown below but are commented out from loading. 

⦁ Needed to initially load modules 

#

/sbin/depmod -a

⦁ Supports the proper masquerading of FTP file transfers using the PORT method 

⦁

/sbin/modprobe ip_masq_ftp 

⦁ Supports the masquerading of RealAudio over UDP.  Without this module, 

⦁ RealAudio WILL function but in TCP mode.  This can cause a reduction 

⦁ in sound quality 

#

#/sbin/modprobe ip_masq_raudio

⦁ Supports the masquerading of IRC DCC file transfers 

⦁

/sbin/modprobe ip_masq_irc 

⦁ Supports the masquerading of Quake and QuakeWorld by default.  This modules is 

⦁ for for multiple users behind the Linux MASQ server.  If you are going to play 

⦁ Quake I, II, and III, use the second example. 

#

#Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake

#

#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)

⦁ /sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960 

⦁ Supports the masquerading of the CuSeeme video conferencing software 

⦁

#/sbin/modprobe ip_masq_cuseeme 

#Supports the masquerading of the VDO-live video conferencing software

#

#/sbin/modprobe ip_masq_vdolive

#CRITICAL: Enable IP forwarding since it is disabled by default since

#

# Redhat Users:  you may try changing the options in /etc/sysconfig/network

from:

IP Masquerading

#

# FORWARD_IPV4=false

# to

# FORWARD_IPV4=true

#

echo "1" > /proc/sys/net/ipv4/ip_forward

⦁ Dynamic IP users: 

⦁

⦁ If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, enable this following 

⦁ option.  This enables dynamic-ip address hacking in IP MASQ, making the life 

⦁ with DialD, PPPd, and similar programs much easier. 

#

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

⦁ MASQ timeouts 

⦁

⦁ 2 hrs timeout for TCP session timeouts 

⦁ 10 sec timeout for traffic after the TCP/IP "FIN" packet is received 

⦁ 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) 

#

/sbin/ipchains -M -S 7200 10 160

⦁ DHCP:  For people who receive their external IP address from either DHCP or BOOTP 

⦁ such as ADSL or Cablemodem users, it is necessary to use the following 

⦁ before the deny command.  The "bootp_client_net_if_name" should be replaced 

⦁ the name of the link that the DHCP/BOOTP server will put an address on to? 

⦁ This will be something like "eth0", "eth1", etc. 

#

⦁ This example is currently commented out. 

⦁

⦁

/sbin/ipchains -A input -j ACCEPT -i eth1 -s 0/0 67 -d 0/0 68 -p udp 

⦁ Enable simple IP forwarding and Masquerading 

#

⦁ NOTE:  The following is an example for an internal LAN address in the 192.168.0.x 

⦁ network with a 255.255.255.0 or a "24" bit subnet mask. 

#

# Please change this network number and subnet mask to match your internal LAN setup

#

/sbin/ipchains -P forward DENY

/sbin/ipchains -A forward -s 10.1.199.0/24 -j MASQ

Add the following line to the "/etc/rc.d/rc.local" file: /etc/rc.d/rc.firewall

Of course the machines that you are configuring to be behind the machine providing the masquerading service should be configured to use that as their gateway. In this case S4 through S6 should use gateway B as their default gateway.

More Complex Networking Routing

Now let's modify the small network in the example in the previous section. The 192.168.1.x network is changed to 192.168.x.x and gateway B's address is changed to 192.168.10.1. All the netmasks on the computers on the 192.168.x.x network are modified to 255.255.0.0 to accommodate the change, except machine S3 which keeps the netmask 255.255.255.0 and changes its address to 192.168.10.3. This effectively puts S3 on a different network than S2 and S1, it no longer believes it can talk directly to them and must talk to gateway B to talk to them. It can't even talk to gateway A anymore since it can't address it directly. Machines S1, S2, and A are not on network 192.168.10.0, their addresses are 192.168.1.*. S1 and S2 can talk to S3, but S3 will not be able to respond unless it utilizes gateway B.

Please be aware, in the example in the previous section, that gateway A was aware of gateway B. If it were not, no messages could have been transmitted from the internet to the 192.168.2.0 network. In this example, gateway A knows nothing about gateway B, and as far as it's concerned, the network 192,168.2.0 is part of 192.168.0.0 and there is no gateway between them. Gateway B, does know about gateway A and is using that gateway as its default gateway. Therefore if S1 and S2 use gateway A for their default gateway, they will not be able to talk to S4, 5, or 6 unless their routing table is modified. S1 and S2 will be able to talk to S3, however, assuming S3 is using gateway B.

Here is a listing of machine S1's routing table, using gateway A as default and no other routes.

Destination	Gateway	Genmask	Flags Metric Ref Use Iface
192.168.1.5	*	255.255.255.255	UH	0	0	0	eth0
192.168.0.0	*	255.255.0.0	U	0	0	0	eth0
127.0.0.0	*	255.0.0.0	U	0	0	0	lo
default	192.168.1.1	0.0.0.0	UG	0	0	0	eth0

Here it is modified to let it use network 192.168.2.0.

Destination	Gateway	Genmask	Flags Metric Ref Use Iface
192.168.1.5	*	255.255.255.255	UH	0	0	0	eth0
192.168.0.0	*	255.255.0.0	U	0	0	0	eth0
192.168.2.0 192.168.10.1		255.255.255.0	UG	0	0	0	eth0
192.168.2.0	*	255.255.255.0	U	0	0	0	eth0
127.0.0.0	*	255.0.0.0	U	0	0	0	lo
default	192.168.1.1	0.0.0.0	UG	0	0	0	eth0

It specifies the gateway B, 192,168.10.1 to be used if the destination is 192.168.2.x.

The figure below shows an ethernet network with bus topology excluding the hubs. It is a large Class A network with many subnetworks. The machines labeled A through D are routers or potential routers and each have two network interface cards(NIC). These machines may be called gateways since their function is to be a gate to another location. Each card has a valid address on its own network or subnetwork. The table below lists each gateway, and each NIC address and associated network.

Gateway	eth0	eth0 network	eth1	eth1 network
A	10.0.0.1	10.x.x.x	164.25.74.131	Internet
B	10.0.0.2	10.x.x.x	10.1.0.1	10.1.x.x.
C	10.0.0.3	10.x.x.x	10.2.0.1	10.2.x.x.
D	10.0.0.4	10.x.x.x	10.3.0.1	10.3.x.x.
E	10.3.50.1	10.3.x.x	10.3.100.1	10.3.100.x.
F	10.1.0.2	10.1.x.x	10.1.20.1	10.1.20.x.
G	10.2.0.2	10.2.x.x	192.168.1.1	192.168.1.x.
H	10.3.100.2	10.3.100.x	10.3.150.1	10.3.150.x.
I	10.3.150.2	10.3.150.x	192.168.1.2	192.168.1.x.

In this figure, there are 9 gateways. which are labeled A through I. There are multiple paths between several networks. The possible paths between networks 10.1.100.x and 192.168.1.x can be through gateways E, D, C, then G (E-D-C-G) or through gateways H-I. The path from 10.3.100.x ot 10.1.20.x can be E-D-B-F or H-I-G-C-B-F. Obviously there are ways to set the routing paths up that may not be fully efficient. In this type of network, the administrator must give careful thought to the setup of the routing tables in their gateways. It would be easy to set up an infinite packet route loop in this network where some packets may go in circles from router to router. Here's how I would route for this network.

The below table lists each network and their default router.

Network   Default Router

10.3.100.x             E

10.3.150.x             H

192.168.1.x            G

10.1.20.x               F

10.1.x.x	B
10.2.x.x	C
10.3.x.x	D
10.x.x.x	A

The router, I, is not used as a default router for any network.

The table below lists an abbreviated route table for each gateway.

Router	Destination	Gateway
A	192.168.1.x	C
	10.1.x.x	B
	10.2.x.x	C
	10.3.x.x	D
	10.x.x.x	10.0.0.1
	default	internet
B	10.1.20.x	F
	10.1.x.x	10.1.0.1
	default	A
C	192.168.1.x	G
	10.2.x.x	10.2.0.1
	default	A
D	10.3.150.x	E
	10.3.100.x	E
	10.3.x.x	10.3.0.1
	default	A
E	192.168.1.x *	H
	10.3.150.x	H
	10.3.100.x	10.3.100.1
	default	D
F	10.1.20.x	10.1.20.1
	default	B
G	10.3.100.x *	I
	192.168.1.x	192.168.1.1
	10.3.150.x *	I
	default	C
H	192.168.1.x	I
	10.3.100.x	10.3.100.2

	10.3.150.x	10.3.150.1
	default	E
I	10.3.100.x	H
	192.168.1.x	192.168.1.2
	10.3.150.x	10.3.150.2
	default	G

The destinations with '*' indicate destinations that shorten the normal route path through network 10.3.150.x.

Also in this network since there are multiple possible paths, dynamic routing can be used to provide alternate routing, if one router goes down.