squid + fwmark problem

Jason Opperisano opie at 817west.com
Fri Apr 29 16:17:45 CEST 2005


On Fri, Apr 29, 2005 at 12:24:28PM +0200, jonathan wrote:
> hi, 
> I am running a squid transparent proxy on the same server than a
> iptables firewall. 
> 
> I have two internet connections on the server and of course another one
> for th local network. 
> I use meta-data marking (netfilter / fwmark) to route the packets to
> ISP1 or ISP2 according the destination port. 
> 
> It works very well if the proxy is inactive, but when I activate squid
> (with port redirection), packets are going to any output interface
> ignoring the packet marking rules. 

my guess is because you are using -t mangle PREROUTING rules to MARK
packets from client machines to select an alternate routing table based
on the destination port.

keep in mind that once you redirect the traffic to squid, the HTTP
connection to the web servers on the Internet will be made from the
local squid process.  local process packets do not traverse any of the
PREROUTING chains; therefore, these packets will never get a MARK and
will use whatever routes are available to the system.  it sounds like
you have a multipath default gateway setup in the main routing table.

cheap solution:  follow the instructions at:

  http://lartc.org/howto/lartc.rpdb.multiple-links.html

and set up your main routing table's default gateway as the ISP router
that you want the HTTP traffic to go over.  the (possible) downside is
that all the traffic generated by the firewall/proxy machine will go
over that link.  if this machine only does firewalling and proxying,
there shouldn't much traffic other than the HTTP requests generated by
squid, so this shouldn't be a huge deal.

expensive solution:  compile in support for the ROUTE target from PoM,
and use something along the lines of:

  # re-route HTTP traffic going out int2/ISP2 back to int1/ISP1
  iptables -t mangle -A POSTROUTING -o $INT2 -p tcp --dport 80 \
    -j ROUTE --oif $INT1 --gw $ISP1_GW

  # you should already have this, but just in case...
  # make sure packets exiting $INT1 have $INT1_IP as the src
  iptables -t nat -A POSTROUTING -o $INT1 -j SNAT --to $INT1_IP

> But now I am "terrify" because I have just read in this mailing list
> that squid doesn't support the meta-data marking. 

squid is an application-level gateway, so--it does not see routing table
marks.

> Is that right and why ? does anybody have used both successfully ? Is
> there another solution for my problem ? 
> 
> thanks a lot for helping a squid newbie...

hope this helps more than it confuses.

-j

--
"Peter: Hey, What's His Name?
 Al Gore: Dick Army
 Peter: Phhhhh, ha ha ha ha. No Seriously What Is It?
 Al Gore: Dick Army
 Peter: Phhhhh, ha ha ha ha. Hey Dick, What's Your Wife's Name? Vagina
 Coastguard?"
        --Family Guy



More information about the netfilter mailing list