File: 21.html

package info (click to toggle)
lg-issue36 2-4
links: PTS
area: main
in suites: woody
size: 2,920 kB
ctags: 242
sloc: makefile: 36; sh: 4
file content (668 lines) | stat: -rw-r--r-- 24,753 bytes
parent folder | download | duplicates (2)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.1G.e">
<TITLE>The Answer Guy 36: 
Linux as Router and Proxy Server: HOWTO?
</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
	LINK="#3366FF" VLINK="#A000A0">
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
	<img src="../../gx/dennis/qbubble.gif" alt="(?)" border="0" align="middle">
	<font color="#B03060">The Answer Guy</font>
	<img src="../../gx/dennis/bbubble.gif" alt="(!)" border="0" align="middle">
</A></H1> 
<BR>
<H4>By James T. Dennis,
	<a href="mailto:answerguy@ssc.com">answerguy@ssc.com</a><BR>
	Starshine Technical Services,
	<A HREF="http://www.starshine.org/">http://www.starshine.org/</A> 
</H4>
</center>

<p><hr><p>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<!-- begin 21 -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif" height="50" width="60"
	  alt="(?) " border="0">
Linux as Router and Proxy Server: HOWTO?
</H3>

<p><strong>From kdeshpande on Sat, 05 Dec 1998  
</strong></p>
<!-- ::
Linux as Router and Proxy Server: HOWTO?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:: -->

<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
we want to setup linux server as a proxy server with two ethernet cards.
kindly guide me for installtion process.
</STRONG></P>
<P><STRONG>
i am ms win 95 user and does not know any thing about unix <TT>/</TT> linus
pl. reply on [another mail address].
</STRONG></P>
<P><STRONG>

</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" alt="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
You'll want to start with the &quot;Linux Installation and Getting
Started.&quot;  That's an LDP guide that's often included with
Linux distributions in the <TT>/usr/doc</TT> directory and is
available on-line at any mirror of the LDP.   That covers the
basics of Linux (although it is getting a bit long in the tooth).
</BLOCKQUOTE>
<BLOCKQUOTE>
Configuring a proxy server and router is a fairly advanced
process and will involve a considerable understanding
of Unix and of TCP/IP concepts.  It sounds like your
skills in English may make some of my explanation inaccessible
to you.   Hopefully the guide to routing that I've also
written for this month's LG article (should appear for the
January 1999 issue) will help.
</BLOCKQUOTE>
<BLOCKQUOTE>
There are a couple of other HOW-TO documents written
on using Linux as a "Firewall" (proxies are often a
component in a firewall).  Many of these have been
translated into various languages.  You'll want to see if
there's one in your native language.
</BLOCKQUOTE>
<BLOCKQUOTE>
Personally I'd suggest that you get a consultant to come
in and configure it for you.  That is likely to be far easier
and less of a hassle than trying to do it yourself.
</BLOCKQUOTE>
<BLOCKQUOTE>
Now, with all of those disclaimers out of the way here's
a simple configuration:
</BLOCKQUOTE>

<blockquote><pre>
                                    _________
		192.168.1.x  -------| proxy |------ the Internet
                                    ^^^^^^^^^
</pre></blockquote>
<BLOCKQUOTE>
In order to have a proxy system, you have to have a
"multi-homed host" (a system with two interfaces in it).
</BLOCKQUOTE>
<BLOCKQUOTE>
In this case you've specified that you want to have two
ethernet cards.  So, first you install those.  Be sure
to set their IRQ's and I/O base address settings to
non-conflicting values.  The exact process varies greatly
from one card to another.  With the 3c5x9 and 3c900 cards
you use a program to set them (3C5X9CFG.EXE under MS-DOS,
or the appropriate utility that was written for Linux ---
I found a copy at the VAResearch ftp site: 
<a href="ftp://ftp.varesearch.com"
	>ftp.varesearch.com</a>
under a relatively obvious name).
</BLOCKQUOTE>
<BLOCKQUOTE>
Let's say that you have one of them set to IRQ 10, I/O 300
and the other set to IRQ 11, I/O 330  (make sure that these
don't conflict with any SCSI, sound or other cards that you have
installed).  Typically you'll also want to disable any "Plug &amp;
Play" support on your motherboard since these features may
change the settings on your ethernet card while you boot, causing
you no end of consternation later.
</BLOCKQUOTE>
<BLOCKQUOTE>
You'll also have to make sure that the appropriate driver is linked 
into your kernel, or that you've built the appropriate modules.
</BLOCKQUOTE>
<BLOCKQUOTE>
It is also common for the Linux kernel to require that you
provide it with a hint that there are multiple ethernet
cards to initialize.  You just provide the kernel with a
boot parameter (read the 'bootparam(7)' man page and/or
the &quot;Boot Parameter HOWTO&quot; for details).  The HOWTO
has an example at:
</BLOCKQUOTE>
<BLOCKQUOTE>
<BLOCKQUOTE>
<CODE>
<A HREF="http://metalab.unc.edu/LDP/HOWTO/BootPrompt-HOWTO-7.html#ss7.1"
	>http://metalab.unc.edu/LDP/HOWTO/BootPrompt-HOWTO-7.html#ss7.1</A>
</CODE> </BLOCKQUOTE> </BLOCKQUOTE>
<BLOCKQUOTE>
... showing the command case using:
</BLOCKQUOTE>
<BLOCKQUOTE> <BLOCKQUOTE> <CODE>
ether=0,0,ether1
</CODE> </BLOCKQUOTE> </BLOCKQUOTE>

<BLOCKQUOTE>
... (no spaces --- and don't change the case of any
letters).
</BLOCKQUOTE>
<BLOCKQUOTE>
This option is passed to the kernel by typing it in at
the LILO boot prompt, or adding an append directive
to your <TT>/etc/lilo.conf</TT> like:
</BLOCKQUOTE>
<BLOCKQUOTE> <BLOCKQUOTE> <CODE>
append="ether=0,0,ether1"
</CODE> </BLOCKQUOTE> </BLOCKQUOTE>
<BLOCKQUOTE>
...(the double quotes are required).
</BLOCKQUOTE>
<BLOCKQUOTE>
This option forces the kernel to look for a second ethernet
adapter (the first ethernet adapter is labelled as '<tt>ether0</tt>'
and will normally be detected automatically).  The <tt>0,0</tt>
forces it to search for the IRQ and I/O base addresses
automatically.  If that's not successful, or you want to
be conservative, you can just provide the information manually.
</BLOCKQUOTE>
<BLOCKQUOTE>
This is extensively documented in the &quot;Ethernet HOWTO&quot; at:
</BLOCKQUOTE>
<BLOCKQUOTE> <BLOCKQUOTE> <CODE>
<A HREF="http://metalab.unc.edu/LDP/HOWTO/Ethernet-HOWTO-10.html#ss10.1"
	>http://metalab.unc.edu/LDP/HOWTO/Ethernet-HOWTO-10.html#ss10.1</A>
</CODE> </BLOCKQUOTE> </BLOCKQUOTE>

<BLOCKQUOTE>
You should see boot time message indicated that the
ethernet cards have been found.  You can use the
'dmesg' command to review those after the system is finished
booting and you've logged in.
</BLOCKQUOTE>
<BLOCKQUOTE>
The last step in the hardware/driver layer is to issue
'<tt>ifconfig</tt>' command for each of these interfaces.
</BLOCKQUOTE>
<BLOCKQUOTE>
Let's say your ISP router (cable modem, ISDN or DSL
gizmo, whatever) is using address 172.17.100.1 on
your ethernet (that's a private net address from RFC1918
--- but let's pretend is was your real address).
</BLOCKQUOTE>
<BLOCKQUOTE>
Let's fill in our diagram a bit more:
</BLOCKQUOTE>

<blockquote><pre>
                              _________      __________
          192.168.1.x  -------| proxy |------| router | -- Internet
                              ^^^^^^^^^      ^^^^^^^^^^
                            eth0     eth1    ^-------- 172.17.100.1
                       192.168.1.1   172.17.100.2

</pre></blockquote>
<BLOCKQUOTE>
Here we see a private network (all of <tt>192.168.1.*</tt>), our
proxy servier with two ethernet interfaces, with <tt>eth0</tt>
on our "inside LAN" (taking up the conventional <tt>.1</tt> address
for a router --- it is the router to the outside/perimeter
segment.  <tt>eth1</tt> is the proxy host's interface on the
"perimeter" or "exposed" segment (outside of our LAN).
</BLOCKQUOTE>
<BLOCKQUOTE>
There is a small perimeter segment in this case.  In many
organizations it will be populated with web servers, DNS and
mail servers and other systems that are intended to be
publicly visible.
</BLOCKQUOTE>
<BLOCKQUOTE>
Obviously each of the systems that are shown on this
segment (the proxy and the router) need their own IP
address.  I've assigned 172...2 to the proxy since I
said that 172...1 was the border router's inside
address.  The border router would also have some sort
of link (usually a point-to-point (PPP) link over a
modem, ISDN, frame relay FRAD, CSU/DSU codec, DSL
ATM or other device --- the telephony is not my
specialty they hand me a "black box" and I plug
the wires into the little tabs where they fit).
</BLOCKQUOTE>
<BLOCKQUOTE>
For our example we don't care what the IP addresses
over the PPP link are.  all we care about is that
our ISP gets packets to and from the 172...* network or
subnet.  They have to have routes to us.
</BLOCKQUOTE>
<BLOCKQUOTE>
This example will work with any subnet mask --- we'll
assume that we have a whole class C range, from <tt>172.17.100.1</tt>
through <tt>172.17.100.254</tt> for simplicity's sake (read all
about subnetting and proxyarp for gory details on those scenarios).
</BLOCKQUOTE>
<BLOCKQUOTE>
So, on our Linux proxy server we use the following commands
to configure our interfaces:
</BLOCKQUOTE>

<BLOCKQUOTE> <BLOCKQUOTE> <CODE>
    ifconfig eth0 192.168.1.1  netmask 255.255.255.0
<br>ifconfig eth1 172.17.100.2 netmask 255.255.255.0
</CODE> </BLOCKQUOTE> </BLOCKQUOTE>

<BLOCKQUOTE>
... we could leave the netmask option off the first
command since it will default to this mask due to the
address class.  With most modern ISP's we'll have to
use some other netmask for the second case --- unless
we're paying for a whole Class C block.  We might need
to anyway (our ISP might have a Class B address block
and be subnetting it into Class C chunks).  We'll just
assume that we need it on both of them.
</BLOCKQUOTE>
<BLOCKQUOTE>
We can optionally specify the broadcast addresses for these
--- however it shouldn't be necessary if we're following
normal conventions.  It will default to the last valid
number in the address range  (<tt>192.168.1.255</tt> for the
first case and <tt>172.17.100.255</tt> in the other).
</BLOCKQUOTE>

<BLOCKQUOTE><ul>
 <li>(If we'd had a netmask of 255.255.255.240
in the first case then our broadcast
address would be 172.17.100.15, if our
addresses had been 172...33 and 172...34
with that netmask our broadcast would
have been 172...47 --- again these are
just examples; the explanation is a bit
involved.)
</ul></BLOCKQUOTE>

<BLOCKQUOTE>
So we have IP addresses on each interface.  Now
we need routes.  In the newer 2.1.x kernels (and presumably
in the 2.2 kernels and later) the '<tt>ifconfig</tt>' operation
automatically results in an addition to the routing table.
This is more like the way Solaris works.  Under earlier
kernels you have to add routes with commands like:
</BLOCKQUOTE>

<BLOCKQUOTE> <BLOCKQUOTE> <CODE>
route add -net 192.168.1.0 eth0
<br>route add -net 172.17.100.0 eth1
</CODE> </BLOCKQUOTE> </BLOCKQUOTE>

<BLOCKQUOTE>
... this defines routes to the two local segments
(one on the inside, and one on the outside).  Again,
newer kernels may not require this entry.
</BLOCKQUOTE>
<BLOCKQUOTE>
Now, for our proxy to reach the Internet we'll have
to set a "default route" like:
</BLOCKQUOTE>
<BLOCKQUOTE> <BLOCKQUOTE> <CODE>
route add default gw 172.17.100.1
</CODE> </BLOCKQUOTE> </BLOCKQUOTE>

<BLOCKQUOTE>
If we have other networks that must be accessed
through our LAN (something like a <tt>10.*.*.*</tt> network
in the back office or for our server room) we may
also want to add other "static" routes to this
list.  Let's say that <tt>192.168.1.17</tt> was a router between
our desktop LAN and our 10-net server segment.  We'd
add a command like:
</BLOCKQUOTE>
<BLOCKQUOTE> <BLOCKQUOTE> <CODE>
route add 10.0.0.0 gw 192.168.1.17
</CODE> </BLOCKQUOTE> </BLOCKQUOTE>

<BLOCKQUOTE>
Notice that we are <EM>not</EM> forwarding packets
between our interior LAN and the outside world.  If we
did the routers on the Internet will not have any valid
routes back to us (that's what these <tt>192.168.*.*</tt> and
<tt>10.*.*.*</tt> addresses are all about.  Read RFC 1918 for
details on that).  <tt>172.16.*.*</tt> through <tt>172.31.*.*</tt> 
addresses (16 Class B blocks) are also reserved for this use ---
but we're "pretending" that <tt>172.17.100.*</tt> is a "real address"
for these examples.
</BLOCKQUOTE>
<BLOCKQUOTE>
So now we need to enable our interior systems to
access the outside world.  We can use IP Masquerading
and/or proxying to accomplish this.  Masquerading is
a bit easier than proxying under Linux since the
support is compiled into most kernels.
</BLOCKQUOTE>
<BLOCKQUOTE>
Masquerading is a process by which we make a group
of systems (our internal clients) look like one
very busy system (our proxy).  We do this by re-writing
the "source" addresses on each package as we route it
--- and by patching the TCP port numbers.
</BLOCKQUOTE>
<BLOCKQUOTE>
TCP "port" numbers allow a host to determine which
process on a system is to receive a given packet.
This is why two users on one system can telnet to
another system without there being ambiguity.
</BLOCKQUOTE>
<BLOCKQUOTE>
Using masquerading all of the connections that are
being handled at any given modem essentially look
like "processes" or "sockets" on the proxy server.
</BLOCKQUOTE>
<BLOCKQUOTE>
Thus IP masquerading is "network layer proxying."
</BLOCKQUOTE>
<BLOCKQUOTE>
Do do this under Linux 2.0.x and earlier (back to the
1.3.x series) we could simply use a command like:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><CODE>
ipfwadm -F -m -a accept -S 192.168.0.0/16 -D 0.0.0.0/0
</CODE></BLOCKQUOTE></BLOCKQUOTE>

<BLOCKQUOTE>
... which adds (<tt>-a</tt>) a masquerading (<tt>-m</tt>) 
rule to accept packets from any source address matching 
<tt>192.168.*.*</tt> (16 bits of the address are the 
"network part" --- that's equivalent to a netmask of 
<tt>255.255.0.0</tt>) and whose destination is "anywhere."  
This rule must be added to the "forwarding" (<tt>-F</tt>) 
set of packet filters.
</BLOCKQUOTE>
<BLOCKQUOTE>
The Linux 2.0.x IP packet filtering subsystem (kernel
features)  maintain four sets of rules (tables):
Accounting, Input, Forwarding, Output
</BLOCKQUOTE>
<BLOCKQUOTE>
... we only care about the "forwarding" rule in this case.
</BLOCKQUOTE>
<BLOCKQUOTE>
With all recent Linux kernels we also have to issue
a command like:
</BLOCKQUOTE>
<BLOCKQUOTE> <BLOCKQUOTE> <CODE>
echo 1 &gt; <TT>/proc/sys/net/ipv4/ip_forward</TT>
</CODE> </BLOCKQUOTE> </BLOCKQUOTE>

<BLOCKQUOTE>
... to enable the kernel's forwarding code.  These kernels
default to ignoring packets that aren't destined to
them for security reasons (this and a TCP/IP "option"
called "source routing" have been used to trick systems
into providing inappropriate access to systems --- so it is
better for systems to leave these features disabled by
default).  Older versions of Unix and Linux were more
"promiscuous" -- they would forward any packet that
"landed on them" so long as the could find a valid route.
</BLOCKQUOTE>
<BLOCKQUOTE>
Lastly we'd just configure our client systems with
IP addresses in the range <tt>192.168.1.2</tt> through 192...254
and cofigure them to treat 192.168.1 as <EM>their</EM> default
route.  Packets will get to the proxy from any of these,
be re-written to look like they came from some socket
on the 172...2 interface and forwarded out to the
Internet.  Returning packets will come in on the socket
which will provide the kernel with an index into a table
that stores the <tt>192.168.*.*</tt> owner of this connection,
and the return packet will be re-written and forwarded
accordingly (back into the internal network).
</BLOCKQUOTE>
<BLOCKQUOTE>
That's how masquerading works.
</BLOCKQUOTE>
<BLOCKQUOTE>
Applications layer proxying is actually a bit easier than
this.  You install packages like SOCKS, Delegate, the FWTK
(firewall toolkit), and a Squid or 
<A HREF="http://www.apache.org/">Apache</A> caching web server
unto the proxy system.  These listen for connections on the
inside interface (<tt>192.168.1.1</tt>).  Proxy aware software (or
users) on the internal system direct their connections to
the proxy server (on port 1080 for SOCKS and Delegate)
and then relay the real destination address and service
to the proxy server.  The proxy server, in turn, opens
up its own connection to the intended server, makes the
requests (according to the type of service requested, and
relays the information back to the client).
</BLOCKQUOTE>
<BLOCKQUOTE>
In addition to the basically relaying a good proxy server
can provide caching (some multiple requests for the
same static resource are handled locally --- saving
time and conserving bandwidthy), additional logging
(so big brother can tell who's been bad), and can
enforce various access control policies (no FTP to
popular mirror sites in the middle of the day, all users
must be Kerberos authenticated in order to access
the Internet, whatever).
</BLOCKQUOTE>
<BLOCKQUOTE>
The main disadvantage to applications layer proxying is
that the proxy clients must be "socksified" or proxy
aware.  Either that, or with some of them (FWTK and
optionally DeleGate) the user of a normal client
(such as FTP) can manually connect to the proxy server
and use some special command (login sequence) to
provide the proxy with the information about the real
destination and user/account info.  (Almost needless
to say that a compromised proxy host is a great
place to put password grabbing trojan horses!)
</BLOCKQUOTE>
<BLOCKQUOTE>
However, one of the major advantages of the proxy
system is that it can support strange protocols
--- like "active FTP" which involves two co-ordinated
IP connections, one outbound control connection and
one inbound data channel.  There are other protocols
that connection pass information "in band" and make
masquerading more difficult and sometimes unreliable.
</BLOCKQUOTE>
<BLOCKQUOTE>
It's possible to use both, even concurrently with
just one host acting in both roles.
</BLOCKQUOTE>
<BLOCKQUOTE>
So far my favorite applications proxy package is
&quot;DeleGate&quot; by Yutaka Sato, of the Electrotechnical
Laboratory (ETL) in Japan.  You can find it at:
</BLOCKQUOTE>
<BLOCKQUOTE> <BLOCKQUOTE> <CODE>
<A HREF="http://wall.etl.go.jp/delegate">http://wall.etl.go.jp/delegate</A>
</CODE> </BLOCKQUOTE> </BLOCKQUOTE>

<BLOCKQUOTE>
... it's easy to compile and configure and it's
available under a very liberal license (very BSD'ish
but less wordy).
</BLOCKQUOTE>
<BLOCKQUOTE>
DeleGate can be used as a SOCKS compatible server
(i.e. SOCKSified client software will work with
DeleGate); and it can be "manually operated" as
well.
</BLOCKQUOTE>
<BLOCKQUOTE>
My only complaint about DeleGate is that the
English documentation can be a bit sparse (and my
paltry studies of Japanese are nowhere near the task
of reading the native docs).
</BLOCKQUOTE>
<BLOCKQUOTE>
The easiest way to install SOCKS clients on your
Linux systems is to just grab the RPM's from any
<A HREF="http://www.redhat.com/">Red Hat</A> "contrib" 
mirror.  That's also the easiest
way to install a SOCKS server.
</BLOCKQUOTE>
<BLOCKQUOTE>
To configure the clients for use with the SOCKS5
libraries you have to create a file, <TT>/etc/libsocks5.conf</TT>,
to contain something like:
</BLOCKQUOTE>

<blockquote><pre>socks5          -       -       -            -          192.168.1.1
noproxy         -       192.168.1.           -
</pre></blockquote>
<BLOCKQUOTE>
... note that the "noproxy" line ends with a "<tt>.</tt>" to
specify that this apples to the whole <tt>192.168.1.*</tt> address range.
</BLOCKQUOTE>
<BLOCKQUOTE>
configuring the socks server you need to create a
file, <TT>/etc/socks5.conf</TT> and put it at least something like:
</BLOCKQUOTE>

<blockquote><pre>route   192.168.1.      -       eth1
permit  -       -       -       -       -       -
</pre></blockquote>
<BLOCKQUOTE>
... and you might have to change that inferface
for our example (I don't remember but I think it's
"destination addresses and <EM>target</EM> interface).
</BLOCKQUOTE>
<BLOCKQUOTE>
Naturally the docs on these are abysmal.  However,
I did eventually get this setup working when I
last tried it.
</BLOCKQUOTE>

<!-- sig -->

<!-- end 21 -->
<!--startcut ======================================================= -->
<P> <hr> <P>
<H5 align="center"><a href="http://www.linuxgazette.com/ssc.copying.html"
        >Copyright &copy;</a> 1999, James T. Dennis
<BR>Published in <I>The Linux Gazette</I> Issue 36 January 1999</H5>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<P align="center">
<table width="98%"><tr valign="center" align="center">
<td rowspan="3" colspan="6"><A HREF="../lg_answer36.html"><IMG
        SRC="../../gx/dennis/answernew.gif"
        ALT="[ Answer Guy Index ]"></A></td>
  <TD><A HREF="./a.html">a</A></TD>
  <TD><A HREF="./b.html">b</A></TD>
  <TD><A HREF="./c.html">c</A></TD>
  <TD><A HREF="./1.html">1</A></TD>
  <TD><A HREF="./2.html">2</A></TD>

  <TD><A HREF="./3.html">3</A></TD>
  <TD><A HREF="./4.html">4</A></TD>
  <TD><A HREF="./5.html">5</A></TD>
  <TD><A HREF="./6.html">6</A></TD>
  <TD><A HREF="./7.html">7</A></TD>

  <TD><A HREF="./9.html">9</A></TD>
  <TD><A HREF="./10.html">10</A></TD>
  <TD><A HREF="./11.html">11</A></TD>
  <TD><A HREF="./12.html">12</A></TD>

</tr><tr valign="center" align="center">
  <TD><A HREF="./15.html">15</A></TD>
  <TD><A HREF="./16.html">16</A></TD>
  <TD><A HREF="./18.html">18</A></TD>
  <TD><A HREF="./19.html">19</A></TD>

  <TD><A HREF="./20.html">20</A></TD>
  <TD><A HREF="./21.html">21</A></TD>
  <TD><A HREF="./22.html">22</A></TD>
  <TD><A HREF="./23.html">23</A></TD>
  <TD><A HREF="./24.html">24</A></TD>

  <TD><A HREF="./25.html">25</A></TD>
  <TD><A HREF="./26.html">26</A></TD>
  <TD><A HREF="./27.html">27</A></TD>
  <TD><A HREF="./28.html">28</A></TD>

</tr><tr valign="center" align="center">
  <TD><A HREF="./29.html">29</A></TD>
  <TD><A HREF="./31.html">31</A></TD>
  <TD><A HREF="./32.html">32</A></TD>
  <TD><A HREF="./33.html">33</A></TD>
  <TD><A HREF="./34.html">34</A></TD>

  <TD><A HREF="./35.html">35</A></TD>
  <TD><A HREF="./36.html">36</A></TD>
  <TD><A HREF="./37.html">37</A></TD>
  <TD><A HREF="./38.html">38</A></TD>
  <TD><A HREF="./39.html">39</A></TD>

  <TD><A HREF="./40.html">40</A></TD>
  <TD><A HREF="./41.html">41</A></TD>
  <TD><A HREF="./42.html">42</A></TD>
  <TD><A HREF="./44.html">44</A></TD>

</tr><tr valign="center" align="center">
  <TD><A HREF="./45.html">45</A></TD>
  <TD><A HREF="./46.html">46</A></TD>
  <TD><A HREF="./47.html">47</A></TD>
  <TD><A HREF="./48.html">48</A></TD>
  <TD><A HREF="./49.html">49</A></TD>
  <TD><A HREF="./50.html">50</A></TD>

  <TD><A HREF="./51.html">51</A></TD>
  <TD><A HREF="./52.html">52</A></TD>
  <TD><A HREF="./53.html">53</A></TD>
  <TD><A HREF="./54.html">54</A></TD>
  <TD><A HREF="./55.html">55</A></TD>

  <TD><A HREF="./56.html">56</A></TD>
  <TD><A HREF="./57.html">57</A></TD>
  <TD><A HREF="./60.html">60</A></TD>
  <TD><A HREF="./61.html">61</A></TD>
  <TD><A HREF="./62.html">62</A></TD>

  <TD><A HREF="./63.html">63</A></TD>
  <TD><A HREF="./64.html">64</A></TD>
  <TD><A HREF="./65.html">65</A></TD>
  <TD><A HREF="./66.html">66</A></TD>

</tr><tr valign="center" align="center">
  <TD><A HREF="./67.html">67</A></TD>
  <TD><A HREF="./69.html">69</A></TD>
  <TD><A HREF="./72.html">72</A></TD>
  <TD><A HREF="./76.html">76</A></TD>
  <TD><A HREF="./77.html">77</A></TD>
  <TD><A HREF="./78.html">78</A></TD>

  <TD><A HREF="./79.html">79</A></TD>
  <TD><A HREF="./80.html">80</A></TD>
  <TD><A HREF="./81.html">81</A></TD>
  <TD><A HREF="./82.html">82</A></TD>
  <TD><A HREF="./84.html">84</A></TD>

  <TD><A HREF="./85.html">85</A></TD>
  <TD><A HREF="./86.html">86</A></TD>
  <TD><A HREF="./87.html">87</A></TD>
  <TD><A HREF="./91.html">91</A></TD>
  <TD><A HREF="./94.html">94</A></TD>

  <TD><A HREF="./95.html">95</A></TD>
  <TD><A HREF="./96.html">96</A></TD>
  <TD><A HREF="./97.html">97</A></TD>
  <TD><A HREF="./98.html">98</A></TD>
</tr></table>
	</P>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<A HREF="../lg_toc36.html"
        ><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
<A HREF="../../index.html"
        ><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
<A HREF="../lg_bytes36.html"
        ><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
<A HREF="../larriera.html"
        ><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
</BODY></HTML>
<!--endcut ========================================================= -->