{"id":4289,"date":"2022-12-20T17:48:53","date_gmt":"2022-12-20T20:48:53","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/shorewallrtrules-man5\/"},"modified":"2022-12-20T17:48:53","modified_gmt":"2022-12-20T20:48:53","slug":"shorewallrtrules-man5","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/shorewallrtrules-man5\/","title":{"rendered":"SHOREWALL−RTRULES (man5)"},"content":{"rendered":"

SHOREWALL\u2212RTRULES<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
EXAMPLES<\/a>
FILES<\/a>
SEE ALSO<\/a>
NOTES<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

rtrules \u2212 Shorewall Routing Rules file<\/p>\n

SYNOPSIS <\/a> <\/h2>\n\n\n
<\/td>\n\n

\/etc\/shorewall[6]\/rtrules<\/b><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

DESCRIPTION <\/a> <\/h2>\n

Entries in this file cause traffic to be routed to one of the providers listed in shorewall\u2212providers<\/font><\/b> [1]<\/font><\/small> (5).<\/font><\/p>\n

The columns in the file are as follows.<\/font><\/p>\n

SOURCE<\/b> (Optional) \u2212 {\u2212<\/b>|[&]interface<\/i>|address<\/i>|interface<\/i>:address<\/i>}<\/font><\/p>\n

An ip address<\/i> (network or host) that matches the source IP address in a packet. May also be specified as an interface<\/i> name optionally followed by “:” and an address. If the device lo<\/b> is specified, the packet must originate from the firewall itself.<\/font><\/p>\n

Beginning with Shorewall 4.5.0, you may specify &interface<\/i> in this column to indicate that the source is the primary IP address of the named interface.<\/font><\/p>\n

Beginning with Shorewall 4.6.8, you may specify a comma\u2212separated list of addresses in this column.<\/font><\/p>\n

DEST<\/b> (Optional) \u2212 {\u2212<\/b>|address<\/i>}<\/font><\/p>\n

An ip address (network or host) that matches the destination IP address in a packet.<\/font><\/p>\n

If you choose to omit either SOURCE<\/b> or DEST<\/b>, place “\u2212” in that column. Note that you may not omit both SOURCE<\/b> and DEST<\/b>.<\/font><\/p>\n

Beginning with Shorewall 4.6.8, you may specify a comma\u2212separated list of addresses in this column.<\/font><\/p>\n

PROVIDER<\/b> \u2212 {provider\u2212name<\/i>|provider\u2212number<\/i>|main<\/b>}<\/font><\/p>\n

The provider to route the traffic through. May be expressed either as the provider name or the provider number. May also be main<\/b> or 254 for the main routing table. This can be used in combination with VPN tunnels, see example 2 below.<\/font><\/p>\n

PRIORITY<\/b> \u2212 priority<\/i>[!]<\/b><\/font><\/p>\n

The rule’s numeric priority<\/i> which determines the order in which the rules are processed. Rules with equal priority are applied in the order in which they appear in the file.<\/font><\/p>\n

1000\u22121999<\/font><\/p>\n

Before Shorewall\u2212generated ‘MARK’ rules<\/font><\/p>\n

11000\u221211999<\/font><\/p>\n

After ‘MARK’ rules but before Shorewall\u2212generated rules for ISP interfaces.<\/font><\/p>\n

26000\u221226999<\/font><\/p>\n

After ISP interface rules but before ‘default’ rule.<\/font><\/p>\n

Beginning with Shorewall 5.0.2, the priority may be followed optionally by an exclaimation mark (“!”). This causes the rule to remain in place if the interface is disabled.<\/font><\/p>\n

Caution<\/big><\/b>
Be careful when using rules of the same PRIORITY as some unexpected behavior can occur when multiple rules have the same SOURCE. For example, in the following rules, the second rule overwrites the first unless the priority in the second is changed to 19001 or higher:<\/font><\/p>\n

10.10.0.0\/24 192.168.5.6 provider1 19000
10.10.0.0\/24 \u2212 provider2 19000<\/font><\/p>\n

MARK \u2212 {\u2212|<\/big><\/b>mark<\/i>[\/<\/b>mask<\/i>]}<\/b><\/big><\/font><\/p>\n

Optional \u2212\u2212 added in Shorewall 4.4.25. For this rule to be applied to a packet, the packet’s mark value must match the mark<\/i> when logically anded with the mask<\/i>. If a mask<\/i> is not supplied, Shorewall supplies a suitable provider mask.<\/big><\/font><\/p>\n

EXAMPLES <\/a> <\/h2>\n

Example 1:<\/big><\/font><\/p>\n

You want all traffic coming in on eth1 to be routed to the ISP1 provider.<\/big><\/font><\/p>\n

#SOURCE DEST PROVIDER PRIORITY MASK
eth1 \u2212 ISP1 1000<\/big><\/font><\/p>\n

IPv4 Example 2:<\/big><\/font><\/p>\n

You use OpenVPN (routed setup \/tunX) in combination with multiple providers. In this case you have to set up a rule to ensure that the OpenVPN traffic is routed back through the tunX interface(s) rather than through any of the providers. 10.8.0.0\/24 is the subnet chosen in your OpenVPN configuration (server 10.8.0.0 255.255.255.0).<\/big><\/font><\/p>\n

#SOURCE DEST PROVIDER PRIORITY MASK
\u2212 10.8.0.0\/24 main 1000<\/big><\/font><\/p>\n

FILES <\/a> <\/h2>\n

\/etc\/shorewall\/rtrules<\/big><\/font><\/p>\n

\/etc\/shorewall6\/rtrules<\/big><\/font><\/p>\n

SEE ALSO <\/a> <\/h2>\n

https:\/\/shorewall.org\/MultiISP.html<\/font><\/b><\/big> [2]<\/font><\/p>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/big><\/b> [3]<\/font><\/p>\n

shorewall(8)<\/big><\/font><\/p>\n

NOTES <\/a> <\/h2>\n\n\n
<\/td>\n\n

1.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-providers<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-providers.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

2.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/MultiISP.html<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/MultiISP.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

3.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/big><\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/big><\/font><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

rtrules \u2212 Shorewall Routing Rules file <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[959],"tags":[961,1291,1309],"class_list":["post-4289","post","type-post","status-publish","format-standard","hentry","category-5-formatos-de-ficheros","tag-961","tag-man5","tag-shorewall-rtrules"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=4289"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4289\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=4289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=4289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=4289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}