shorewall-tcrules.5

sharewall is very good

\fBCOMMENT\fR
\-\- the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries\&. The comment will appear delimited by "/* \&.\&.\&. */" in the output of
\fBshorewall show mangle\fR
.sp
To stop the comment from being attached to further rules, simply include COMMENT on a line by itself\&.
.RE
.RE
.PP
\fBSOURCE\fR \- {\fB\-\fR|{\fIinterface\fR|\fB$FW\fR}|[{\fIinterface\fR|\fB$FW\fR}:]\fIaddress\-or\-range\fR[\fB,\fR\fIaddress\-or\-range\fR]\&.\&.\&.}[\fIexclusion\fR]
.RS 4
May be:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
An interface name \- matches traffic entering the firewall on the specified interface\&. May not be used in classify rules or in rules using the :T chain qualifier\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
A comma\-separated list of host or network IP addresses or MAC addresses\&.
\fBThis form will not match traffic that originates on the firewall itself unless either <major><minor> or the :T chain qualifier is used in the MARK column\&.\fR
.sp
Examples:.RS 4
0\&.0\&.0\&.0/0
.RE
.sp
.RS 4
192\&.168\&.1\&.0/24, 172\&.20\&.4\&.0/24
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  3." 4.2
.\}
An interface name followed by a colon (":") followed by a comma\-separated list of host or network IP addresses or MAC addresses\&. May not be used in classify rules or in rules using the :T chain qualifier\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  4." 4.2
.\}
$FW optionally followed by a colon (":") and a comma\-separated list of host or network IP addresses\&. Matches packets originating on the firewall\&. May not be used with a chain qualifier (:P, :F, etc\&.) in the MARK column\&.
.RE
.RS 4
MAC addresses must be prefixed with "~" and use "\-" as a separator\&.
.sp
Example: ~00\-A0\-C9\-15\-39\-78
.sp
You may exclude certain hosts from the set already defined through use of an
\fIexclusion\fR
(see
\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[5]\d\s+2(5))\&.
.RE
.PP
\fBDEST\fR \- {\fB\-\fR|{\fIinterface\fR|[\fIinterface\fR:]\fIaddress\-or\-range\fR[\fB,\fR\fIaddress\-or\-range\fR]\&.\&.\&.}[\fIexclusion\fR]
.RS 4
May be:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
An interface name\&. May not be used in the PREROUTING chain (:P in the mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[6]\d\s+2
(5))\&. The interface name may be optionally followed by a colon (":") and an IP address list\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
A comma\-separated list of host or network IP addresses\&. The list may include ip address ranges if your kernel and iptables include iprange support\&.
.RE
.RS 4
You may exclude certain hosts from the set already defined through use of an
\fIexclusion\fR
(see
\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[5]\d\s+2(5))\&.
.RE
.PP
\fBPROTO\fR \- {\fB\-\fR|\fBtcp:syn\fR|\fBipp2p\fR|\fBipp2p:udp\fR|\fBipp2p:all\fR|\fIprotocol\-number\fR|\fIprotocol\-name\fR|\fBall}\fR
.RS 4
Protocol \-
\fBipp2p\fR
requires ipp2p match support in your kernel and iptables\&.
.RE
.PP
\fBPORT(S)\fR (Optional) \- [\fB\-\fR|\fIport\-name\-number\-or\-range\fR[\fB,\fR\fIport\-name\-number\-or\-range\fR]\&.\&.\&.]
.RS 4
Destination Ports\&. A comma\-separated list of Port names (from services(5)),
\fIport number\fRs or
\fIport range\fRs; if the protocol is
\fBicmp\fR, this column is interpreted as the destination icmp\-type(s)\&.
.sp
If the protocol is
\fBipp2p\fR, this column is interpreted as an ipp2p option without the leading "\-\-" (example
\fBbit\fR
for bit\-torrent)\&. If no PORT is given,
\fBipp2p\fR
is assumed\&.
.sp
This column is ignored if PROTOCOL = all but must be entered if any of the following field is supplied\&. In that case, it is suggested that this field contain "\-"
.RE
.PP
\fBSOURCE PORT(S)\fR (Optional) \- [\fB\-\fR|\fIport\-name\-number\-or\-range\fR[\fB,\fR\fIport\-name\-number\-or\-range\fR]\&.\&.\&.]
.RS 4
Source port(s)\&. If omitted, any source port is acceptable\&. Specified as a comma\-separated list of port names, port numbers or port ranges\&.
.RE
.PP
\fBUSER\fR (Optional) \- [\fB!\fR][\fIuser\-name\-or\-number\fR][\fB:\fR\fIgroup\-name\-or\-number\fR][\fB+\fR\fIprogram\-name\fR]
.RS 4
This column may only be non\-empty if the SOURCE is the firewall itself\&.
.sp
When this column is non\-empty, the rule applies only if the program generating the output is running under the effective
\fIuser\fR
and/or
\fIgroup\fR
specified (or is NOT running under that id if "!" is given)\&.
.sp
Examples:
.PP
joe
.RS 4
program must be run by joe
.RE
.PP
:kids
.RS 4
program must be run by a member of the \'kids\' group
.RE
.PP
!:kids
.RS 4
program must not be run by a member of the \'kids\' group
.RE
.PP
+upnpd
.RS 4
#program named upnpd
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
The ability to specify a program name was removed from Netfilter in kernel version 2\&.6\&.14\&.
.sp .5v
.EM yellow
.RE
.RE
.RE
.PP
\fBTEST\fR \- [\fB!\fR]\fIvalue\fR[/\fImask\fR][\fB:C\fR]
.RS 4
Defines a test on the existing packet or connection mark\&. The rule will match only if the test returns true\&.
.sp
If you don\'t want to define a test but need to specify anything in the following columns, place a "\-" in this field\&.
.PP
!
.RS 4
Inverts the test (not equal)
.RE
.PP
\fIvalue\fR
.RS 4
Value of the packet or connection mark\&.
.RE
.PP
\fImask\fR
.RS 4
A mask to be applied to the mark before testing\&.
.RE
.PP
\fB:C\fR
.RS 4
Designates a connection mark\&. If omitted, the packet mark\'s value is tested\&.
.RE
.RE
.PP
\fBLENGTH\fR (Optional) \- [\fIlength\fR|[\fImin\fR]\fB:\fR[\fImax\fR]]
.RS 4
Packet Length\&. This field, if present allow you to match the length of a packet against a specific value or range of values\&. You must have iptables length support for this to work\&. A range is specified in the form
\fImin\fR:\fImax\fR
where either
\fImin\fR
or
\fImax\fR
(but not both) may be omitted\&. If
\fImin\fR
is omitted, then 0 is assumed; if
\fImax\fR
is omitted, than any packet that is
\fImin\fR
or longer will match\&.
.RE
.PP
\fBTOS\fR \- \fItos\fR
.RS 4
Type of service\&. Either a standard name, or a numeric value to match\&.
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
         \fBMinimize\-Delay\fR (16)
         \fBMaximize\-Throughput\fR (8)
         \fBMaximize\-Reliability\fR (4)
         \fBMinimize\-Cost\fR (2)
         \fBNormal\-Service\fR (0)
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
\fBCONNBYTES\fR \- [!]\fImin\fR:[\fImax\fR[:{\fBO\fR|\fBR\fR|\fBB\fR}[:{\fBB\fR|\fBP\fR|\fBA\fR}]]]
.RS 4
Connection Bytes; defines a byte or packet range that the connection must fall within in order for the rule to match\&. Added in Shorewall\-perl 4\&.2\&.0\&.
.sp
A packet matches if the the packet/byte count is within the range defined by
\fImin\fR
and
\fImax\fR
(unless ! is given in which case, a packet matches if the packet/byte count is not within the range)\&.
\fImin\fR
is an integer which defines the beginning of the byte/packet range\&.
\fImax\fR
is an integer which defines the end of the byte/packet range; if omitted, only the beginning of the range is checked\&. The first letter gives the direction which the range refers to:\fBO\fR \- The original direction of the connection\&. .sp \fBR\fR \- The opposite direction from the original connection\&. .sp \fBB\fR \- The total of both directions\&.
.sp
If omitted,
\fBB\fR
is assumed\&.
.sp
The second letter determines what the range refers to\&.\fBB\fR \- Bytes .sp \fBP\fR \- Packets .sp \fBA\fR \- Average packet size\&.If omitted,
\fBB\fR
is assumed\&.
.RE
.PP
\fBHELPER \- \fR\fIhelper\fR
.RS 4
Added in Shorewall\-perl 4\&.2\&.0\&. Names a Netfiler protocol
helper
module such as
\fBftp\fR,
\fBsip\fR,
\fBamanda\fR, etc\&. A packet will match if it was accepted by the named helper module\&. You can also append "\-" and a port number to the helper module name (e\&.g\&.,
\fBftp\-21\fR) to specify the port number that the original connection was made on\&.
.sp
Example: Mark all FTP data connections with mark 4:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
#CLASSIFY                                        PORT(S)
4:T       0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0 TCP     \-          \-       \-    \-    \-      \-   \-         ftp
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.SH "Example"
.PP
Example 1:
.RS 4
Mark all ICMP echo traffic with packet mark 1\&. Mark all peer to peer traffic with packet mark 4\&.
.sp
This is a little more complex than otherwise expected\&. Since the ipp2p module is unable to determine all packets in a connection are P2P packets, we mark the entire connection as P2P if any of the packets are determined to match\&.
.sp
We assume packet/connection mark 0 means unclassified\&.
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
       #MARK/     SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
       #CLASSIFY                                               PORT(S)
       1:T        0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0    icmp    echo\-request
       1:T        0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0    icmp    echo\-reply
       RESTORE:T  0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0    all     \-             \-       \-       0
       CONTINUE:T 0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0    all     \-             \-       \-       !0
       4:T         0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0   ipp2p:all
       SAVE:T      0\&.0\&.0\&.0/0 0\&.0\&.0\&.0/0   all     \-             \-       \-       !0
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
If a packet hasn\'t been classifed (packet mark is 0), copy the connection mark to the packet mark\&. If the packet mark is set, we\'re done\&. If the packet is P2P, set the packet mark to 4\&. If the packet mark has been set, save it to the connection mark\&.
.RE
.SH "FILES"
.PP
/etc/shorewall/tcrules
.SH "See ALSO"
.PP
\m[blue]\fBhttp://shorewall\&.net/traffic_shaping\&.htm\fR\m[]
.PP
\m[blue]\fBhttp://shorewall\&.net/MultiISP\&.html\fR\m[]
.PP
\m[blue]\fBhttp://shorewall\&.net/PacketMarking\&.html\fR\m[]
.PP
shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-ecn(5), shorewall\-exclusion(5), shorewall\-hosts(5), shorewall\-interfaces(5), shorewall\-ipsec(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-route_rules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5)
.SH "Notes"
.IP " 1." 4
shorewall-rules
.RS 4
\%http://www.shorewall.net/manpages/shorewall-rules.html
.RE
.IP " 2." 4
shorewall.conf
.RS 4
\%http://www.shorewall.net/manpages/shorewall.conf.html
.RE
.IP " 3." 4
shorewall-tcdevices
.RS 4
\%http://www.shorewall.net/manpages/shorewall-tcdevices.html
.RE
.IP " 4." 4
shorewall-tcclasses
.RS 4
\%http://www.shorewall.net/manpages/shorewall-tcclasses.html
.RE
.IP " 5." 4
shorewall-exclusion
.RS 4
\%http://www.shorewall.net/manpages/shorewall-exclusion.html
.RE
.IP " 6." 4
shorewall.conf
.RS 4
\%http://www.shorewall.net/manpages/manpages/shorewall.conf
.RE