81
84
# mark the connection rather than the packet.
83
86
# The mark value may be optionally followed by "/" and a mask value (used
84
# to determine those bits of the connection mark to actually be set). The
85
# mark and optional mask are then followed by one of:
89
# Mark the connection in the chain determined by the setting of
90
# MARK_IN_FORWARD_CHAIN
94
# Mark the connection in the FORWARD chain
98
# Mark the connection in the PREROUTING chain.
102
# Mark the connecdtion in the POSTROUTING chain
106
# Mark the connection in the INPUT chain. This option is included for
107
# completeness and has no applicability to traffic shaping or policy
110
# Special considerations for If HIGH_ROUTE_MARKS=Yes in shorewall.conf(5
113
# If HIGH_ROUTE_MARKS=Yes, then you may also specify a value in the range
114
# 0x0100-0xFF00 with the low-order byte being zero. Such values may only
115
# be used in the PREROUTING chain (value followed by :P or you have set
116
# MARK_IN_FORWARD_CHAIN=No in shorewall.conf(5) and have not followed the
117
# value with :F) or the OUTPUT chain (SOURCE is $FW). With
118
# HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
119
# permitted. Shorewall prohibits non-zero mark values less that 256 in
120
# the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier versions
121
# allow such values in the OUTPUT chain, it is strongly recommended that
122
# with HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply
123
# traffic shaping marks/classification.
125
# 2. A classification Id (classid) of the form major:minor where major and
87
# to determine those bits of the connection mark to actually be set).
88
# When a mask is specified, the result of logically ANDing the mark value
89
# with the mask must be the same as the mark value.
91
# The mark and optional mask are then followed by one of:
95
# Mark the connection in the chain determined by the setting of
96
# MARK_IN_FORWARD_CHAIN
100
# Mark the connection in the FORWARD chain
104
# Mark the connection in the PREROUTING chain.
108
# Mark the connecdtion in the POSTROUTING chain
112
# Mark the connection in the INPUT chain. This option is included for
113
# completeness and has no applicability to traffic shaping or policy
116
# 2. A mark range which is a pair of integers separated by a dash ("-").
117
# Added in Shorewall 4.5.9.
119
# May be optionally followed by a slash ("/") and a mask and requires the
120
# Statistics Match capability in iptables and kernel. Marks in the
121
# specified range are assigned to packets on a round-robin fashion.
123
# When a mask is specified, the result of logically ANDing each mark
124
# value with the mask must be the same as the mark value. The least
125
# significant bit in the mask is used as an increment. For example, if
126
# '0x200-0x400/0xff00' is specified, then the assigned mark values are
127
# 0x200, 0x300 and 0x400 in equal proportions. If no mask is specified,
128
# then ( 2 ** MASK_BITS ) - 1 is assumed (MASK_BITS is set in
129
# shorewall.conf(5)).
131
# May optionally be followed by :P, :F,:T or :I where :P indicates that
132
# marking should occur in the PREROUTING chain, :F indicates that marking
133
# should occur in the FORWARD chain, :I indicates that marking should
134
# occur in the INPUT chain (added in Shorewall 4.4.13), and :T indicates
135
# that marking should occur in the POSTROUTING chain. If neither :P, :F
136
# nor :T follow the mark value then the chain is determined as follows:
138
# - If the SOURCE is $FW[:address-or-range[,address-or-range]...], then
139
# the rule is inserted into the OUTPUT chain. When HIGH_ROUTE_MARKS=Yes,
140
# only high mark values may be assigned there. Packet marking rules for
141
# traffic shaping of packets originating on the firewall must be coded in
142
# the POSTROUTING chain (see below).
144
# - Otherwise, the chain is determined by the setting of
145
# MARK_IN_FORWARD_CHAIN in shorewall.conf(5).
147
# Please note that :I is included for completeness and affects neither
148
# traffic shaping nor policy routing.
150
# If your kernel and iptables include CONNMARK support then you can also
151
# mark the connection rather than the packet.
153
# The mark range and optional mask can then followed by one of:
157
# Mark the connection in the chain determined by the setting of
158
# MARK_IN_FORWARD_CHAIN
162
# Mark the connection in the FORWARD chain
166
# Mark the connection in the PREROUTING chain.
170
# Mark the connecdtion in the POSTROUTING chain
174
# Mark the connection in the INPUT chain. This option is included for
175
# completeness and has no applicability to traffic shaping or policy
178
# 3. A classification Id (classid) of the form major:minor where major and
126
179
# minor are integers. Corresponds to the 'class' specification in these
127
180
# traffic shaping modules:
158
211
# POSTROUTING chain (default).
160
# 3. RESTORE[/mask] -- restore the packet's mark from the connection's mark
161
# using the supplied mask if any. Your kernel and iptables must include
164
# As in 1) above, may be followed by :P or :F
166
# 4. SAVE[/mask] -- save the packet's mark to the connection's mark using
167
# the supplied mask if any. Your kernel and iptables must include
170
# As in 1) above, may be followed by :P or :F
172
# 5. CONTINUE Don't process any more marking rules ‒in the table.
215
# Added in Shorewall 4.5.9. Compute and fill in the checksum in a packet
216
# that lacks a checksum. This is particularly useful if you need to work
217
# around old applications, such as dhcp clients, that do not work well
218
# with checksum offloads, but you don't want to disable checksum offload
221
# Requires 'Checksum Target' support in your kernel and iptables.
223
# 5. [?]COMMENT -- the rest of the line will be attached as a comment to the
224
# Netfilter rule(s) generated by the following entries. The comment will
225
# appear delimited by "/* ... */" in the output of shorewall show mangle
227
# To stop the comment from being attached to further rules, simply
228
# include COMMENT on a line by itself.
232
# Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and
235
# 6. CONTINUE Don't process any more marking rules ‒in the table.
174
237
# As in 1) above, may be followed by :P or :F. Currently, CONTINUE may
175
238
# not be used with exclusion (see the SOURCE and DEST columns below);
176
239
# that restriction will be removed when iptables/Netfilter provides the
177
240
# necessary support.
179
# 6. SAME Some websites run applications that require multiple connections
180
# from a client browser. Where multiple 'balanced' providers are
181
# configured, this can lead to problems when some of the connections are
182
# routed through one provider and some through another. The SAME target
183
# allows you to work around that problem. SAME may be used in the
184
# PREROUTING and OUTPUT chains. When used in PREROUTING, it causes
185
# matching connections from an individual local system to all use the
186
# same provider. For example:
188
# #ACTION SOURCE DEST PROTO DEST
190
# SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
192
# If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443
193
# and it has sent a packet on either of those ports in the last five
194
# minutes then the new connection will use the same provider as the
195
# connection over which that last packet was sent.
197
# When used in the OUTPUT chain, it causes all matching connections to an
198
# individual remote system to all use the same provider. For example:
200
# #ACTION SOURCE DEST PROTO DEST
202
# SAME $FW 0.0.0.0/0 tcp 80,443
204
# If the firewall attempts a connection on TCP port 80 or 443 and it has
205
# sent a packet on either of those ports in the last five minutes to the
206
# same remote system then the new connection will use the same provider
207
# as the connection over which that last packet was sent.
209
# 7. COMMENT -- the rest of the line will be attached as a comment to the
210
# Netfilter rule(s) generated by the following entries. The comment will
211
# appear delimited by "/* ... */" in the output of shorewall show mangle
213
# To stop the comment from being attached to further rules, simply
214
# include COMMENT on a line by itself.
216
# 8. IPMARK ‒ Assigns a mark to each matching packet based on the either the
244
# Added in Shorewall 4.5.4 and only available when FORMAT is 2. Two
245
# DIVERT rule should preceed the TPROXY rule and should select DEST PORT
246
# tcp 80 and SOURCE PORT tcp 80 respectively (assuming that tcp port 80
247
# is being proxied). DIVERT avoids sending packets to the TPROXY target
248
# once a socket connection to Squid3 has been established by TPROXY.
249
# DIVERT marks the packet with a unique mark and exempts it from any
254
# Added in Shorewall 4.5.1. Sets the Differentiated Services Code Point
255
# field in the IP header. The dscp value may be given as an even number
256
# (hex or decimal) or as the name of a DSCP class. Valid class names and
257
# their associated hex numeric values are:
282
# To indicate more than one class, add their hex values together and
283
# specify the result.
285
# May be optionally followed by ':' and a capital letter designating the
286
# chain where classification is to occur.
294
# POSTROUTING chain (default).
298
# Added in Shorewall 4.5.1. Specifies that the packet should be passed to
299
# the IMQ identified by number. Requires IMQ Target support in your
300
# kernel and iptables.
302
# 10. IPMARK ‒ Assigns a mark to each matching packet based on the either the
217
303
# source or destination IP address. By default, it assigns a mark value
218
304
# equal to the low-order 8 bits of the source address. Default values
282
368
# as in the example above so that all of your minor classes will have a
287
# Added in Shorewall 4.5.4 and only available when FORMAT is 2. Two
288
# DIVERT rule should preceed the TPROXY rule and should select DEST PORT
289
# tcp 80 and SOURCE PORT tcp 80 respectively (assuming that tcp port 80
290
# is being proxied). DIVERT avoids sending packets to the TPROXY target
291
# once a socket connection to Squid3 has been established by TPROXY.
292
# DIVERT marks the packet with a unique mark and exempts it from any
295
# 10. TPROXY(mark[,[port][,[address]]]) -- FORMAT 1
297
# Transparently redirects a packet without altering the IP header.
298
# Requires a local provider to be defined in shorewall-providers(5).
300
# There are three parameters to TPROXY - only the first (mark) is
303
# ● mark - the MARK value corresponding to the local provider in
304
# shorewall-providers(5).
306
# ● port - the port on which the proxy server is listening. If omitted,
307
# the original destination port.
309
# ● address - a local (to the firewall) IP address on which the proxy
310
# server is listening. If omitted, the IP address of the interface on
311
# which the request arrives.
313
# 11. TPROXY([port][,address]) -- FORMAT 2
315
# Transparently redirects a packet without altering the IP header.
316
# Requires a tproxy provider to be defined in shorewall-providers(5).
318
# There are three parameters to TPROXY - neither is required:
320
# ● port - the port on which the proxy server is listening. If omitted,
321
# the original destination port.
323
# ● address - a local (to the firewall) IP address on which the proxy
324
# server is listening. If omitted, the IP address of the interface on
325
# which the request arrives.
327
# 12. TTL([-|+]number)
329
# Added in Shorewall 4.4.24. May be option followed by :F but the
330
# resulting rule is always added to the FORWARD chain. If + is included,
331
# packets matching the rule will have their TTL incremented by number.
332
# Similarly, if - is included, matching packets have their TTL
333
# decremented by number. If neither + nor - is given, the TTL of matching
334
# packets is set to number. The valid range of values for number is
339
# Added in Shorewall 4.5.1. Specifies that the packet should be passed to
340
# the IMQ identified by number. Requires IMQ Target support in your
341
# kernel and iptables.
345
# Added in Shorewall 4.5.1. Sets the Differentiated Services Code Point
346
# field in the IP header. The dscp value may be given as an even number
347
# (hex or decimal) or as the name of a DSCP class. Valid class names and
348
# their associated hex numeric values are:
373
# May be optionally followed by ':' and a capital letter designating the
374
# chain where classification is to occur.
382
# POSTROUTING chain (default).
371
# 11. RESTORE[/mask] -- restore the packet's mark from the connection's mark
372
# using the supplied mask if any. Your kernel and iptables must include
375
# As in 1) above, may be followed by :P or :F
377
# 12. SAME Some websites run applications that require multiple connections
378
# from a client browser. Where multiple 'balanced' providers are
379
# configured, this can lead to problems when some of the connections are
380
# routed through one provider and some through another. The SAME target
381
# allows you to work around that problem. SAME may be used in the
382
# PREROUTING and OUTPUT chains. When used in PREROUTING, it causes
383
# matching connections from an individual local system to all use the
384
# same provider. For example:
386
# #ACTION SOURCE DEST PROTO DEST
388
# SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
390
# If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443
391
# and it has sent a packet on either of those ports in the last five
392
# minutes then the new connection will use the same provider as the
393
# connection over which that last packet was sent.
395
# When used in the OUTPUT chain, it causes all matching connections to an
396
# individual remote system to all use the same provider. For example:
398
# #ACTION SOURCE DEST PROTO DEST
400
# SAME $FW 0.0.0.0/0 tcp 80,443
402
# If the firewall attempts a connection on TCP port 80 or 443 and it has
403
# sent a packet on either of those ports in the last five minutes to the
404
# same remote system then the new connection will use the same provider
405
# as the connection over which that last packet was sent.
407
# 13. SAVE[/mask] -- save the packet's mark to the connection's mark using
408
# the supplied mask if any. Your kernel and iptables must include
411
# As in 1) above, may be followed by :P or :F
413
# 14. STATE {NEW|RELATED|ESTABLISHED|INVALID} [,...]
415
# Added in Shorewall 4.5.9. The rule will only match if the packet's
416
# connection is in one of the listed states.
384
418
# 15. TOS(tos[/mask])
413
450
# POSTROUTING chain.
452
# 16. TPROXY(mark[,[port][,[address]]]) -- FORMAT 1
454
# Transparently redirects a packet without altering the IP header.
455
# Requires a local provider to be defined in shorewall-providers(5).
457
# There are three parameters to TPROXY - only the first (mark) is
460
# ● mark - the MARK value corresponding to the local provider in
461
# shorewall-providers(5).
463
# ● port - the port on which the proxy server is listening. If omitted,
464
# the original destination port.
466
# ● address - a local (to the firewall) IP address on which the proxy
467
# server is listening. If omitted, the IP address of the interface on
468
# which the request arrives.
470
# 17. TPROXY([port][,address]) -- FORMAT 2
472
# Transparently redirects a packet without altering the IP header.
473
# Requires a tproxy provider to be defined in shorewall-providers(5).
475
# There are three parameters to TPROXY - neither is required:
477
# ● port - the port on which the proxy server is listening. If omitted,
478
# the original destination port.
480
# ● address - a local (to the firewall) IP address on which the proxy
481
# server is listening. If omitted, the IP address of the interface on
482
# which the request arrives.
484
# 18. TTL([-|+]number)
486
# Added in Shorewall 4.4.24.
488
# Prior to Shorewall 4.5.7.2, may be optionally followed by :F but the
489
# resulting rule is always added to the FORWARD chain. Beginning with
490
# Shorewall 4.5.7.s, it may be optionally followed by :P, in which case
491
# the rule is added to the PREROUTING chain.
493
# If + is included, packets matching the rule will have their TTL
494
# incremented by number. Similarly, if - is included, matching packets
495
# have their TTL decremented by number. If neither + nor - is given, the
496
# TTL of matching packets is set to number. The valid range of values for
415
499
# SOURCE - {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,
416
500
# address-or-range]...}[exclusion]
562
656
# LENGTH - [length|[min]:[max]]
564
# Optional - packet Length. This field, if present allow you to match the
565
# length of a packet against a specific value or range of values. You must
566
# have iptables length support for this to work. A range is specified in the
567
# form min:max where either min or max (but not both) may be omitted. If min
568
# is omitted, then 0 is assumed; if max is omitted, than any packet that is
569
# min or longer will match.
658
# Optional - packet payload length. This field, if present allow you to match
659
# the length of a packet payload (Layer 4 data ) against a specific value or
660
# range of values. You must have iptables length support for this to work. A
661
# range is specified in the form min:max where either min or max (but not
662
# both) may be omitted. If min is omitted, then 0 is assumed; if max is
663
# omitted, than any packet that is min or longer will match.
689
781
# packet is P2P, set the packet mark to 4. If the packet mark has been set,
690
782
# save it to the connection mark.
786
# SNAT outgoing connections on eth0 from 192.168.1.0/24 in round-robin
787
# fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 4.5.9
790
# /etc/shorewall/tcrules:
792
# #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
794
# 1-3:CF 192.168.1.0/24 eth0 ; state=NEW
796
# /etc/shorewall/masq:
798
# #INTERFACE SOURCE ADDRESS ...
799
# eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C
800
# eth0 192.168.1.0/24 1.1.1.3 ; mark=2:C
801
# eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C
692
803
##########################################################################################################################################
694
805
##########################################################################################################################################