> One hint I had was that the traffic are not marked correctly. > > This line if added (I got it from somewhere online) will change the mac address > of > the web site to be the one of SQUID: > > iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-mark 2 > > With that rule: > 06:13:38.327212 0a:a5:82:f8:2e:93 (VPN's mac)> 0a:3c:e1:08:45:b7 (SQUID's mac), > IPv4, length 74: 10.0.0.170.57525 > 157.166.248.10.80 (web site): tcp 0 > > Without that rule: > 06:01:59.823267 0a:a5:82:f8:2e:93 (VPN's mac) > 0a:ee:81:f6:13:ef (SQUID's > mac), > IPv4, length 66: 10.0.0.170.43154 > 157.166.249.11.80 (web site): tcp 0 > This diagram explains the flow of PRE/POSTROUTING/OUTPUT/FORWARD: http://users.ecs.soton.ac.uk/ajf101/kptd.pdf So OUTPUT rule makes a different because I am testing from a local process (ie: curl on VPN server). I then tried from VPN client (inbound traffic) and POSTROUTING makes a difference here (putting SQUID's mac). Here some notes: #marking inbound traffic: iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set- mark 2 #marking outbound traffic (ie: locally generated traffic): iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-mark 2 Anyhow that doesn't explain to me why market traffic is not going to SQUID. Thanks
