squid + fwmark problem

Ken Hilliard ken at acotec.com
Fri Apr 29 21:46:42 CEST 2005

For locally generated traffic (e.g., the squid proxy) you could use the
mangle table's OUTPUT chain, which "is used for altering locally
generated packets before they enter the routing decision". You should be
able to add an additional rule in the OUTPUT chain in the MANGLE table
to MARK the packet based on the same match conditions that you used in
the PREROUTING chain.

-----Original Message-----
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of Jason
Sent: Friday, April 29, 2005 9:18 PM
To: netfilter at lists.netfilter.org
Subject: Re: squid + fwmark problem

On Fri, Apr 29, 2005 at 12:24:28PM +0200, jonathan wrote:
> hi, 
> I am running a squid transparent proxy on the same server than a
> iptables firewall. 
> I have two internet connections on the server and of course another
> for th local network. 
> I use meta-data marking (netfilter / fwmark) to route the packets to
> ISP1 or ISP2 according the destination port. 
> It works very well if the proxy is inactive, but when I activate squid
> (with port redirection), packets are going to any output interface
> ignoring the packet marking rules. 

my guess is because you are using -t mangle PREROUTING rules to MARK
packets from client machines to select an alternate routing table based
on the destination port.

keep in mind that once you redirect the traffic to squid, the HTTP
connection to the web servers on the Internet will be made from the
local squid process.  local process packets do not traverse any of the
PREROUTING chains; therefore, these packets will never get a MARK and
will use whatever routes are available to the system.  it sounds like
you have a multipath default gateway setup in the main routing table.

cheap solution:  follow the instructions at:


and set up your main routing table's default gateway as the ISP router
that you want the HTTP traffic to go over.  the (possible) downside is
that all the traffic generated by the firewall/proxy machine will go
over that link.  if this machine only does firewalling and proxying,
there shouldn't much traffic other than the HTTP requests generated by
squid, so this shouldn't be a huge deal.

expensive solution:  compile in support for the ROUTE target from PoM,
and use something along the lines of:

  # re-route HTTP traffic going out int2/ISP2 back to int1/ISP1
  iptables -t mangle -A POSTROUTING -o $INT2 -p tcp --dport 80 \
    -j ROUTE --oif $INT1 --gw $ISP1_GW

  # you should already have this, but just in case...
  # make sure packets exiting $INT1 have $INT1_IP as the src
  iptables -t nat -A POSTROUTING -o $INT1 -j SNAT --to $INT1_IP

> But now I am "terrify" because I have just read in this mailing list
> that squid doesn't support the meta-data marking. 

squid is an application-level gateway, so--it does not see routing table

> Is that right and why ? does anybody have used both successfully ? Is
> there another solution for my problem ? 
> thanks a lot for helping a squid newbie...

hope this helps more than it confuses.


"Peter: Hey, What's His Name?
 Al Gore: Dick Army
 Peter: Phhhhh, ha ha ha ha. No Seriously What Is It?
 Al Gore: Dick Army
 Peter: Phhhhh, ha ha ha ha. Hey Dick, What's Your Wife's Name? Vagina
        --Family Guy

More information about the netfilter mailing list