For locally generated traffic (e.g., the squid proxy) you could use the mangle table's OUTPUT chain, which "is used for altering locally generated packets before they enter the routing decision". You should be able to add an additional rule in the OUTPUT chain in the MANGLE table to MARK the packet based on the same match conditions that you used in the PREROUTING chain. -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jason Opperisano Sent: Friday, April 29, 2005 9:18 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: squid + fwmark problem On Fri, Apr 29, 2005 at 12:24:28PM +0200, jonathan wrote: > hi, > I am running a squid transparent proxy on the same server than a > iptables firewall. > > I have two internet connections on the server and of course another one > for th local network. > I use meta-data marking (netfilter / fwmark) to route the packets to > ISP1 or ISP2 according the destination port. > > It works very well if the proxy is inactive, but when I activate squid > (with port redirection), packets are going to any output interface > ignoring the packet marking rules. my guess is because you are using -t mangle PREROUTING rules to MARK packets from client machines to select an alternate routing table based on the destination port. keep in mind that once you redirect the traffic to squid, the HTTP connection to the web servers on the Internet will be made from the local squid process. local process packets do not traverse any of the PREROUTING chains; therefore, these packets will never get a MARK and will use whatever routes are available to the system. it sounds like you have a multipath default gateway setup in the main routing table. cheap solution: follow the instructions at: http://lartc.org/howto/lartc.rpdb.multiple-links.html and set up your main routing table's default gateway as the ISP router that you want the HTTP traffic to go over. the (possible) downside is that all the traffic generated by the firewall/proxy machine will go over that link. if this machine only does firewalling and proxying, there shouldn't much traffic other than the HTTP requests generated by squid, so this shouldn't be a huge deal. expensive solution: compile in support for the ROUTE target from PoM, and use something along the lines of: # re-route HTTP traffic going out int2/ISP2 back to int1/ISP1 iptables -t mangle -A POSTROUTING -o $INT2 -p tcp --dport 80 \ -j ROUTE --oif $INT1 --gw $ISP1_GW # you should already have this, but just in case... # make sure packets exiting $INT1 have $INT1_IP as the src iptables -t nat -A POSTROUTING -o $INT1 -j SNAT --to $INT1_IP > But now I am "terrify" because I have just read in this mailing list > that squid doesn't support the meta-data marking. squid is an application-level gateway, so--it does not see routing table marks. > Is that right and why ? does anybody have used both successfully ? Is > there another solution for my problem ? > > thanks a lot for helping a squid newbie... hope this helps more than it confuses. -j -- "Peter: Hey, What's His Name? Al Gore: Dick Army Peter: Phhhhh, ha ha ha ha. No Seriously What Is It? Al Gore: Dick Army Peter: Phhhhh, ha ha ha ha. Hey Dick, What's Your Wife's Name? Vagina Coastguard?" --Family Guy
