advanced routing question (squid/policy based routing)

advanced routing question (squid/policy based routing)

Post by MPA » Sat, 26 Oct 2002 06:22:37


while setting up a second link to another ISP, I came up with the idea to
perform policy based routing.
All of the web traffic should go via a flatrate DSL link, whereas all the
rest is routed via a 2Mbit/s CISCO

The configuration is as follows: we have a network with public IP adresses

        | 2Mbit/s link to ISP
        | 194.x.y.z
        | default-route
  INTERNET via DSL  ---------- DSL HW ------------------ LINUX FIREWALL
                                NAT    |
        | a.b.c.x/27
        Internal Network (20 hosts)

What I try to achieve is that all outgoing traffic from a.b.c.x/27 port 80
is routed via
the HW-DSL-Router. So I installed a SQUID in transparent mode on the
firewall and entered
the following rule:

iptables -t nat -A PREROUTING -i eth1 -p tcp -s
a.b.c.x& --dport 80 -j REDIRECT --to-port 3128

If I do not modify any routing I have a perfect transparent webserver.

Now I add something more sophisticated: I configure squid to use
as the outbound
interface with the squid configure option tcp_outgoing_adress and add the
following policy based

iptables -t mangle -A OUTPUT -s -p tcp --dport 80 -j
MARK --set-mark 5

Now the packets become marked. I add the rule:

ip rule add fwmark 5 table dsl_out


ip route add default via dev eth4 table dsl_out

Now what happens now ? I make a TCP-dump on an external webserver and on the
link between firewall
and HW-DSL-ROUTER. I open a http-connection from a.b.c.d. It gets redirected
to the squid, which in turn
opens a TCP-connection via the DSL-router. On the external Webserver I see
SYN-packets arriving from the
external address of the DSL-router and the webserver answers with a SYN/ACK.
The SYN/ACK is natted again
and is inbound on the link between DSL-router and firewall.

But it never arrives at the SQUID. Half a second later SQUID retransmitts
the SYN and the link is never established.
Before I forget: beforehand I cleared all firewalling rules on eth4 :
iptables -I INPUT -i eth4 -j ACCEPT

What am I doing wrong ? Any idea ?

TCP-dumps of all links are available.

Thanks for your help...

Marc Peter Althoff