I hope I can refocus this question to the real problem. I am currently have a working VPN setup but once I add my policy routing rules it breaks the client's port 80 connection (everything else still good, apps still work. I don't any traffic going to my SQUID server. First of all I don't use cache. I read http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute but it says "Please realize that this just gets the packets to the cache; you have to then configure interception on the cache itself to redirect traffic to the Squid TCP port!". Do I have to do that if I don't use cache (it didn't say what to do)? Steps taken: #policy routing kernel requirement - OK #grep CONFIG_IP_ADVANCED_ROUTER /boot/config-$(uname -r) #grep CONFIG_IP_MULTIPLE_TABLES /boot/config-$(uname -r) #CONFIG_IP_ROUTE_FWMARK is deprecated in option but enabled by default #they say rp_filer can mess up policy routing so disabled it - OK /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.all.rp_filter=0 #executed following with my own IPs and table names - breaks connection iptables -t mangle -A PREROUTING -p tcp --dport 80 -s $SQUID -j ACCEPT iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT iptables -t filter -A FORWARD -i eth0 -o eth0 -p tcp --dport 80 -j ACCEPT echo "201 http" >> /etc/iproute2/rt_tables ip rule add fwmark 2 table http ip route add default via $SQUID table http ip route table list http (OK): default via $SQUID dev eth0 ip route (OK): default via 10.0.0.1 dev eth0 10.0.0.0/24 dev eth0 proto kernel scope link src $VPN route -n (OK): Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 ip rule (OK): 0: from all lookup local 219: from all fwmark 0x2 lookup http 220: from all lookup 220 32766: from all lookup main 32767: from all lookup default The short summary is that once I add iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2 VPN client's http traffic is broken. I am not able to determine where the traffic is lost/dropped/redirected to (nothing showing on SQUID server).
