1SHOREWALL-RTRULES(5) Configuration Files SHOREWALL-RTRULES(5)
2
3
4
6 rtrules - Shorewall Routing Rules file
7
9 /etc/shorewall[6]/rtrules
10
12 Entries in this file cause traffic to be routed to one of the providers
13 listed in shorewall-providers[1](5).
14
15 The columns in the file are as follows.
16
17 SOURCE (Optional) - {-|[&]interface|address|interface:address}
18 An ip address (network or host) that matches the source IP address
19 in a packet. May also be specified as an interface name optionally
20 followed by ":" and an address. If the device lo is specified, the
21 packet must originate from the firewall itself.
22
23 Beginning with Shorewall 4.5.0, you may specify &interface in this
24 column to indicate that the source is the primary IP address of the
25 named interface.
26
27 Beginning with Shorewall 4.6.8, you may specify a comma-separated
28 list of addresses in this column.
29
30 DEST (Optional) - {-|address}
31 An ip address (network or host) that matches the destination IP
32 address in a packet.
33
34 If you choose to omit either SOURCE or DEST, place "-" in that
35 column. Note that you may not omit both SOURCE and DEST.
36
37 Beginning with Shorewall 4.6.8, you may specify a comma-separated
38 list of addresses in this column.
39
40 PROVIDER - {provider-name|provider-number|main}
41 The provider to route the traffic through. May be expressed either
42 as the provider name or the provider number. May also be main or
43 254 for the main routing table. This can be used in combination
44 with VPN tunnels, see example 2 below.
45
46 PRIORITY - priority[!]
47 The rule's numeric priority which determines the order in which the
48 rules are processed. Rules with equal priority are applied in the
49 order in which they appear in the file.
50
51 1000-1999
52 Before Shorewall-generated 'MARK' rules
53
54 11000-11999
55 After 'MARK' rules but before Shorewall-generated rules for ISP
56 interfaces.
57
58 26000-26999
59 After ISP interface rules but before 'default' rule.
60
61 Beginning with Shorewall 5.0.2, the priority may be followed
62 optionally by an exclaimation mark ("!"). This causes the rule to
63 remain in place if the interface is disabled.
64
65 Caution
66 Be careful when using rules of the same PRIORITY as some
67 unexpected behavior can occur when multiple rules have the same
68 SOURCE. For example, in the following rules, the second rule
69 overwrites the first unless the priority in the second is
70 changed to 19001 or higher:
71
72 10.10.0.0/24 192.168.5.6 provider1 19000
73 10.10.0.0/24 - provider2 19000
74
75 MARK - {-|mark[/mask]}
76 Optional -- added in Shorewall 4.4.25. For this rule to be applied
77 to a packet, the packet's mark value must match the mark when
78 logically anded with the mask. If a mask is not supplied, Shorewall
79 supplies a suitable provider mask.
80
82 Example 1:
83 You want all traffic coming in on eth1 to be routed to the ISP1
84 provider.
85
86 #SOURCE DEST PROVIDER PRIORITY MASK
87 eth1 - ISP1 1000
88
89 IPv4 Example 2:
90 You use OpenVPN (routed setup /tunX) in combination with multiple
91 providers. In this case you have to set up a rule to ensure that
92 the OpenVPN traffic is routed back through the tunX interface(s)
93 rather than through any of the providers. 10.8.0.0/24 is the subnet
94 chosen in your OpenVPN configuration (server 10.8.0.0
95 255.255.255.0).
96
97 #SOURCE DEST PROVIDER PRIORITY MASK
98 - 10.8.0.0/24 main 1000
99
101 /etc/shorewall/rtrules
102
103 /etc/shorewall6/rtrules
104
106 http://www.shorewall.net/MultiISP.html[2]
107
108 http://www.shorewall.net/configuration_file_basics.htm#Pairs[3]
109
110 shorewall(8)
111
113 1. shorewall-providers
114 http://www.shorewall.net/manpages/shorewall-providers.html
115
116 2. http://www.shorewall.net/MultiISP.html
117 http://www.shorewall.net/MultiISP.html
118
119 3. http://www.shorewall.net/configuration_file_basics.htm#Pairs
120 http://www.shorewall.net/configuration_file_basics.htm#Pairs
121
122
123
124Configuration Files 01/17/2019 SHOREWALL-RTRULES(5)