April 13, 2005

Using a Linux failover router

Author: Preston St. Pierre

Today, it's hard to imagine an organization operating without taking advantage of the vast resources and opportunities that the Internet provides. The Internet's role has become so significant that no organization can afford to have its Net connection going down for too long. Consequently, most organizations have some form of a secondary or backup connection ready (such as a leased line) in case their primary Net connection fails. However, the process of switching over from the primary to the backup connection, if done manually by the system administrator, can take some time, depending upon how ready the backup setup is and on the availability of the administrator at the right moment. The process can even become a costly affair if the organization must buy dedicated routers for the purpose of automatic switchover. But there is an easy and cost-effective alternative -- setting up a Linux failover router.

In this article we will look at setting up an existing Linux machine as a failover router to provide quick and automatic switchover from a dead Internet connection (the primary connection) to one that is operational (the secondary connection).

To begin, you'll need a PC with any recent GNU/Linux distro installed. You'll also need three network cards to put into this Linux box. Two of the three network cards, say eth0 and eth1, will connect to the Internet routers/gateways of your primary ISP (say ISP1) and secondary ISP (say ISP2). The third network card, say eth2, will connect to your internal LAN.

Setting up the network

Begin by setting up your network based on the configuration information available to you. You can make the configurations from the X Window GUI using the Network utility. To do so, open the Network utility from Main Menu > System Settings > Network. This will open up a network configuration window displaying a list of all the network cards installed on your system. Double-click on the network card you wish to configure, select the Statically Set IP Addresses option, and assign the IP address along with the subnet mask. There is also a Default Gateway Address field; tou can leave it blank for the time being, as it can be specified later on from the command line.

Assign the IP addresses provided to you by your ISPs to the two network cards, eth0 and eth1. In our setup, we assigned eth0= and eth1= (which are public IP addresses), along with the subnet mask

Assign a private IP address based on your internal LAN subnet to your third card. We assigned eth2=, where was the address range for our internal LAN setup. Save your changes and exit.

Now turn on IP packet forwarding on the Linux box by changing the value of net.ipv4.ip_forward to 1 in the /etc/sysctl.conf file and executing the command:

# sysctl -p

Next, you need to configure iptables by adding certain rules, so that your internal LAN can route packets to the Internet. For this, issue the following commands as root:

# iptables  -t  nat  -A  POSTROUTING  -o  eth0  -j  MASQUERADE

# iptables  -t  nat  -A  POSTROUTING  -o  eth1  -j  MASQUERADE

# iptables  -A  FORWARD  -s  -j  ACCEPT

# iptables  -A  FORWARD  -d  -j  ACCEPT

# iptables  -A  FORWARD  -s  !  -j DROP

The above commands turn on masquerading in the NAT table by appending a POSTROUTING rule (-A POSTROUTING) for all outgoing packets on the two Ethernet interfaces, eth0 and eth1. The next two lines accept forwarding of all packets to and from the network. The last line drops the packets that do not come from the network.

To make the iptables rules permanent, save them as follows:

# iptables-save > /etc/sysconfig/iptables

Now you must restart your network, as well as iptables:

# /etc/init.d/network  restart

# /etc/init.d/iptables  restart

To see if your new iptables rules have gone into effect, type iptables --L.

Enabling failover routing

After you have configured your network, the next step is to enable failover routing on your Linux box, so that if the first route dies the router will automatically switch over to the next route. To do so, you'll need to add the default gateway routes provided to you by your ISPs for both your network cards:

# route add default gw dev eth0

# route add default gw dev eth1

Here, is the gateway address given by ISP1 and is the gateway address given by ISP2. Replace them with the addresses available to you. These routes will disappear every time you reboot the system. In order to make these routes permanent add the above two commands in the /etc/rc.d/rc.local file, which is run at boot time.

Also make sure that all the computers on your internal LAN ( have their default gateway address set as the IP address of the eth3 Ethernet interface (i.e. of your failover router.

Finally, modify the /proc/sys/net/ipv4/route/gc_timeout file. This file contains a numerical value that denotes the time in seconds after which the kernel declares a route to be inactive and automatically switches to the other route if available. Open the file in any text editor and change its default value of 300 to some smaller value, say 10 or 15. Save the changes and exit.

Now your Linux machine is ready to serve as a failover router, automatically and quickly switching to the secondary route every time the primary route fails.

Click Here!