Name

rtrules — Shorewall6 Routing Rules file

Synopsis

/etc/shorewall6/rtrules

Description

Entries in this file cause traffic to be routed to one of the providers listed in shorewall6-providers(5).

The columns in the file are as follows.

SOURCE (Optional) - {-|interface|address|interface:<address>}

An ip address (network or host) that matches the source IP address in a packet. May also be specified as an interface name optionally followed by ":" and an address. If the device lo is specified, the packet must originate from the firewall itself.

Beginning with Shorewall 4.5.0, you may specify &interface in this column to indicate that the source is the primary IP address of the named interface.

Beginning with Shorewall 4.6.8, you may specify a comma-separated list of addresses in this column.

DEST (Optional) - {-|address}

An ip address (network or host) that matches the destination IP address in a packet.

If you choose to omit either SOURCE or DEST, place "-" in that column. Note that you may not omit both SOURCE and DEST.

Beginning with Shorewall 4.6.8, you may specify a comma-separated list of addresses in this column.

PROVIDER - {provider-name|provider-number|main}

The provider to route the traffic through. May be expressed either as the provider name or the provider number. May also be main or 254 for the main routing table. This can be used in combination with VPN tunnels, see example 2 below.

PRIORITY - priority[!]

The rule's numeric priority which determines the order in which the rules are processed. Rules with equal priority are applied in the order in which they appear in the file.

1000-1999

Before Shorewall-generated 'MARK' rules

11000-11999

After 'MARK' rules but before Shorewall-generated rules for ISP interfaces.

26000-26999

After ISP interface rules but before 'default' rule.

Beginning with Shorewall 5.0.2, the priority may be followed optionally by an exclaimation mark ("!"). This causes the rule to remain in place if the interface is disabled.

Caution

Be careful when using rules of the same PRIORITY as some unexpected behavior can occur when multiple rules have the same SOURCE. For example, in the following rules, the second rule overwrites the first unless the priority in the second is changed to 19001 or higher:

2601:601:8b00:bf0::/64 2001:470:b:787::542 provider1 19000
2601:601:8b00:bf0::/64 -                   provider2 19000
MARK - {-|mark[/mask]}

Optional -- added in Shorewall 4.4.25. For this rule to be applied to a packet, the packet's mark value must match the mark when logically anded with the mask. If a mask is not supplied, Shorewall supplies a suitable provider mask.

Examples

Example 1:

You want all traffic coming in on eth1 to be routed to the ISP1 provider.

        #SOURCE                 DEST            PROVIDER        PRIORITY    MASK
        eth1                    -               ISP1            1000

FILES

/etc/shorewall6/rtrules

See ALSO

http://www.shorewall.net/MultiISP.html

shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)

Documentation


Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.4/4.5/4.6 Documentation

Shorewall 4.0/4.2 Documentation


Shorewall 5.0 HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Docker - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page