2002-05-01 01:13:15 +02:00
|
|
|
#
|
2006-01-16 16:15:43 +01:00
|
|
|
# Shorewall version 3.2 - Tcrules File
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
|
|
|
# /etc/shorewall/tcrules
|
|
|
|
#
|
|
|
|
# Entries in this file cause packets to be marked as a means of
|
2002-08-05 00:55:17 +02:00
|
|
|
# classifying them for traffic control or policy routing.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# I M P O R T A N T ! ! ! !
|
2002-11-24 16:59:01 +01:00
|
|
|
#
|
2005-07-09 06:45:32 +02:00
|
|
|
# Unlike rules in the /etc/shorewall/rules file, evaluation
|
2005-08-02 18:46:30 +02:00
|
|
|
# of rules in this file will continue after a match. So the
|
2005-07-09 06:45:32 +02:00
|
|
|
# final mark for each packet will be the one assigned by the
|
|
|
|
# LAST tcrule that matches.
|
|
|
|
#
|
2005-07-09 07:55:29 +02:00
|
|
|
# If you use multiple internet providers with the 'track' option,
|
|
|
|
# in /etc/shorewall/providers be sure to read the restrictions at
|
|
|
|
# http://shorewall.net/Shorewall_and_Routing.html.
|
|
|
|
#
|
2002-05-01 01:13:15 +02:00
|
|
|
# Columns are:
|
|
|
|
#
|
|
|
|
#
|
2005-07-09 07:55:29 +02:00
|
|
|
# MARK/ a) A mark value which is an integer in the range 1-255
|
2005-08-02 18:46:30 +02:00
|
|
|
# CLASSIFY
|
2005-07-09 07:45:05 +02:00
|
|
|
# May optionally be followed by ":P" or ":F"
|
|
|
|
# where ":P" indicates that marking should occur in
|
|
|
|
# the PREROUTING chain and ":F" indicates that marking
|
|
|
|
# should occur in the FORWARD chain. If neither
|
2005-08-02 18:46:30 +02:00
|
|
|
# ":P" nor ":F" follow the mark value then the chain
|
|
|
|
# is determined by the setting of
|
|
|
|
# MARK_IN_FORWARD_CHAIN in
|
2005-07-09 07:45:05 +02:00
|
|
|
# /etc/shorewall/shorewall.conf.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2005-07-09 07:45:05 +02:00
|
|
|
# If your kernel and iptables include CONNMARK support
|
|
|
|
# then you can also mark the connection rather than
|
|
|
|
# the packet.
|
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# The mark value may be optionally followed by "/"
|
|
|
|
# and a mask value (used to determine those bits of
|
|
|
|
# the connection mark to actually be set). The
|
|
|
|
# mark and optional mask are then followed by one of:
|
2005-07-09 07:45:05 +02:00
|
|
|
#
|
|
|
|
# C - Mark the connection in the chain determined
|
2005-08-02 18:46:30 +02:00
|
|
|
# by the setting of MARK_IN_FORWARD_CHAIN
|
2005-07-09 07:45:05 +02:00
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# CF: Mark the connection in the FORWARD chain
|
2005-07-09 07:45:05 +02:00
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# CP: Mark the connection in the PREROUTING
|
|
|
|
# chain.
|
2005-07-09 07:45:05 +02:00
|
|
|
#
|
2005-10-06 18:35:20 +02:00
|
|
|
# b) A classification (classid) of the form
|
|
|
|
# <major>:<minor> where <major> and <minor> are
|
|
|
|
# integers. Corresponds to the 'class' specification
|
|
|
|
# in these traffic shaping modules:
|
2005-07-09 07:45:05 +02:00
|
|
|
#
|
|
|
|
# - atm
|
|
|
|
# - cbq
|
|
|
|
# - dsmark
|
|
|
|
# - pfifo_fast
|
|
|
|
# - htb
|
|
|
|
# - prio
|
|
|
|
#
|
|
|
|
# Classify always occurs in the POSTROUTING chain.
|
|
|
|
#
|
|
|
|
# c) RESTORE[/mask] -- restore the packet's mark from the
|
|
|
|
# connection's mark using the supplied mask if any.
|
2005-08-02 18:46:30 +02:00
|
|
|
# Your kernel and iptables must include CONNMARK
|
|
|
|
# support.
|
|
|
|
#
|
2005-07-09 07:45:05 +02:00
|
|
|
# As in a) above, may be followed by ":P" or ":F
|
|
|
|
#
|
|
|
|
# c) SAVE[/mask] -- save the packet's mark to the
|
|
|
|
# connection's mark using the supplied mask if any.
|
2005-08-02 18:46:30 +02:00
|
|
|
# Your kernel and iptables must include CONNMARK
|
|
|
|
# support.
|
|
|
|
#
|
2005-07-09 07:45:05 +02:00
|
|
|
# As in a) above, may be followed by ":P" or ":F
|
|
|
|
#
|
|
|
|
# d) CONTINUE -- don't process any more marking rules in
|
2005-08-02 18:46:30 +02:00
|
|
|
# the table.
|
|
|
|
#
|
|
|
|
# As in a) above, may be followed by ":P" or ":F".
|
2003-01-24 00:18:40 +01:00
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# SOURCE Source of the packet. A comma-separated list of
|
2006-01-31 21:02:17 +01:00
|
|
|
# interface names, IP addresses, MAC addresses and/or
|
|
|
|
# subnets for packets being routed through a common path.
|
|
|
|
# For example, all packets for connections masqueraded to
|
|
|
|
# eth0 from other interfaces can be matched in a single rule
|
|
|
|
# with several alternative SOURCE criteria. However, a
|
|
|
|
# connection whose packets gets to eth0 in a different way,
|
|
|
|
# e.g., direct from the firewall itself, needs a different
|
|
|
|
# rule.
|
|
|
|
#
|
|
|
|
# Accordingly, use $FW in its own separate rule for packets
|
|
|
|
# originating on the firewall. In such a rule, the MARK
|
|
|
|
# column may NOT specify either ":P" or ":F" because marking
|
|
|
|
# for firewall-originated packets always occurs in the OUTPUT
|
|
|
|
# chain.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
|
|
|
# MAC addresses must be prefixed with "~" and use
|
|
|
|
# "-" as a separator.
|
|
|
|
#
|
|
|
|
# Example: ~00-A0-C9-15-39-78
|
|
|
|
#
|
|
|
|
# DEST Destination of the packet. Comma separated list of
|
2005-08-02 18:46:30 +02:00
|
|
|
# IP addresses and/or subnets. If your kernel and
|
2005-07-09 07:45:05 +02:00
|
|
|
# iptables include iprange match support, IP address
|
|
|
|
# ranges are also allowed.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# If the MARK column specificies a classification of
|
|
|
|
# the form <major>:<minor> then this column may also
|
|
|
|
# contain an interface name.
|
2005-07-09 07:45:05 +02:00
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
2005-10-04 20:46:35 +02:00
|
|
|
# "ipp2p:udp", "ipp2p:all" a number, or "all".
|
2005-10-04 20:00:55 +02:00
|
|
|
# "ipp2p" requires ipp2p match support in your kernel
|
|
|
|
# and iptables.
|
2002-05-01 01:13:15 +02:00
|
|
|
#
|
|
|
|
# PORT(S) Destination Ports. A comma-separated list of Port
|
|
|
|
# names (from /etc/services), port numbers or port
|
|
|
|
# ranges; if the protocol is "icmp", this column is
|
|
|
|
# interpreted as the destination icmp-type(s).
|
|
|
|
#
|
2005-10-04 20:46:35 +02:00
|
|
|
# If the protocol is ipp2p, this column is interpreted
|
2005-08-02 18:46:30 +02:00
|
|
|
# as an ipp2p option without the leading "--" (example
|
|
|
|
# "bit" for bit-torrent). If no PORT is given, "ipp2p" is
|
2005-07-09 07:45:05 +02:00
|
|
|
# assumed.
|
|
|
|
#
|
2002-05-01 01:13:15 +02:00
|
|
|
# This column is ignored if PROTOCOL = all but must be
|
|
|
|
# entered if any of the following field is supplied.
|
|
|
|
# In that case, it is suggested that this field contain
|
|
|
|
# "-"
|
|
|
|
#
|
2005-07-09 07:45:05 +02:00
|
|
|
# SOURCE PORT(S) (Optional) Source port(s). If omitted,
|
2002-05-01 01:13:15 +02:00
|
|
|
# any source port is acceptable. Specified as a comma-
|
|
|
|
# separated list of port names, port numbers or port
|
|
|
|
# ranges.
|
2004-01-22 21:24:56 +01:00
|
|
|
#
|
|
|
|
# USER This column may only be non-empty if the SOURCE is
|
|
|
|
# the firewall itself.
|
|
|
|
#
|
|
|
|
# When this column is non-empty, the rule applies only
|
|
|
|
# if the program generating the output is running under
|
|
|
|
# the effective user and/or group.
|
|
|
|
#
|
|
|
|
# It may contain :
|
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# [<user name or number>]:[<group name or number>][+<program name>]
|
2004-01-22 21:24:56 +01:00
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# The colon is optionnal when specifying only a user
|
2005-07-09 07:55:29 +02:00
|
|
|
# or a program name.
|
2005-08-02 18:46:30 +02:00
|
|
|
# Examples : john: , john , :users , john:users ,
|
2005-10-31 22:23:16 +01:00
|
|
|
# +mozilla-bin (Support for program names
|
|
|
|
# was removed from Netfilter in Kernel
|
|
|
|
# version 2.6.14).
|
2005-07-09 07:45:05 +02:00
|
|
|
#
|
2005-08-02 18:46:30 +02:00
|
|
|
# TEST Defines a test on the existing packet or connection
|
|
|
|
# mark. The rule will match only if the test returns
|
|
|
|
# true. Tests have the format [!]<value>[/<mask>][:C]
|
2005-07-09 07:45:05 +02:00
|
|
|
#
|
|
|
|
# Where:
|
|
|
|
#
|
|
|
|
# ! Inverts the test (not equal)
|
|
|
|
# <value> Value of the packet or connection mark.
|
2005-08-02 18:46:30 +02:00
|
|
|
# <mask> A mask to be applied to the mark before
|
|
|
|
# testing
|
|
|
|
# :C Designates a connection mark. If
|
|
|
|
# omitted, the packet mark's value is
|
|
|
|
# tested.
|
2004-01-22 21:24:56 +01:00
|
|
|
#
|
2006-01-15 23:54:12 +01:00
|
|
|
# If you don't want to define a test but need to specify
|
|
|
|
# anything in the following columns, place a "-" in this
|
2006-01-17 00:15:51 +01:00
|
|
|
# field.
|
2006-01-15 23:54:12 +01:00
|
|
|
#
|
|
|
|
# LENGTH (Optional) Packet Length. This field, if present
|
2006-01-17 00:15:51 +01:00
|
|
|
# allow you to match the length of a packet against
|
2006-01-15 23:54:12 +01:00
|
|
|
# a specific value or range of values. You must have
|
|
|
|
# iptables length support for this to work. If you let
|
|
|
|
# it empy or place an "-" here, no length match will be
|
|
|
|
# done.
|
|
|
|
#
|
|
|
|
# Examples: 1024, 64:1500
|
|
|
|
#
|
2005-07-09 07:45:05 +02:00
|
|
|
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
2005-10-06 22:01:51 +02:00
|
|
|
# For usage in selecting among multiple ISPs, see
|
|
|
|
# http://shorewall.net/Shorewall_and_Routing.html
|
2005-08-02 18:46:30 +02:00
|
|
|
###############################################################################
|
2006-01-15 23:54:12 +01:00
|
|
|
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH
|
2005-08-02 18:46:30 +02:00
|
|
|
# PORT(S)
|
2002-05-01 01:13:15 +02:00
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|