SHOREWALL-RTRULES(5) | [FIXME: manual] | SHOREWALL-RTRULES(5) |
NAME¶
rtrules - Shorewall Routing Rules fileSYNOPSIS¶
/etc/shorewall/rtrules
DESCRIPTION¶
Entries in this file cause traffic to be routed to one of the providers listed in shorewall-providers[1](5). The columns in the file are as follows. SOURCE (Optional) - {-|[&]interface|address|interface: address}An ip address (network or host) that
matches the source IP address in a packet. May also be specified as an
interface name optionally followed by ":" and an address. If
the device lo is specified, the packet must originate from the firewall
itself.
Beginning with Shorewall 4.5.0, you may specify & interface in this
column to indicate that the source is the primary IP address of the named
interface.
DEST (Optional) - {-|address}
An ip address (network or host) that matches
the destination IP address in a packet.
If you choose to omit either SOURCE or DEST, place "-"
in that column. Note that you may not omit both SOURCE and
DEST.
PROVIDER - {provider-name|provider-number|main}
The provider to route the traffic through. May
be expressed either as the provider name or the provider number. May also be
main or 254 for the main routing table. This can be used in combination
with VPN tunnels, see example 2 below.
PRIORITY - priority
The rule's numeric priority which
determines the order in which the rules are processed. Rules with equal
priority are applied in the order in which they appear in the file.
1000-1999
MARK - {-|mark[/mask]}
Before Shorewall-generated 'MARK' rules
11000-11999
After 'MARK' rules but before
Shorewall-generated rules for ISP interfaces.
26000-26999
After ISP interface rules but before 'default'
rule.
Optional -- added in Shorewall 4.4.25. For
this rule to be applied to a packet, the packet's mark value must match the
mark when logically anded with the mask. If a mask is not
supplied, Shorewall supplies a suitable provider mask.
EXAMPLES¶
Example 1:You want all traffic coming in on eth1 to be
routed to the ISP1 provider.
Example 2:
#SOURCE DEST PROVIDER PRIORITY MASK eth1 - ISP1 1000
You use OpenVPN (routed setup /tunX) in
combination with multiple providers. In this case you have to set up a rule to
ensure that the OpenVPN traffic is routed back through the tunX interface(s)
rather than through any of the providers. 10.8.0.0/24 is the subnet chosen in
your OpenVPN configuration (server 10.8.0.0 255.255.255.0).
#SOURCE DEST PROVIDER PRIORITY MASK - 10.8.0.0/24 main 1000
FILES¶
/etc/shorewall/rtrulesSEE ALSO¶
http://shorewall.net/MultiISP.html http://shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)NOTES¶
- 1.
- shorewall-providers
06/28/2012 | [FIXME: source] |