RST packets do not abide by my IPTables mangle rule, thus do not get routed properly (due to policy based routing).
The policy based routing is done by source address, specifically if packets originate from 10.1.49.0/24 range, use the "guest" routing table. All other traffic uses the default routing table.
There is also a transparent Squid proxy running on this Linux router. By design, Squid intercepts the client requests to port 80 and establishes the connections directly to web servers itself. Therefore, traffic destined to port 80 essentially originates from the linux router, not 10.1.49.0/24. This means that all port 80 traffic used the default route, regardless of where the actual orignal request came from (ie 10.1.49.0/24 range).
Squid runs as nobody user, so marking said traffic is fairly simple and I fixed the issue with:
iptables -t mangle -A OUTPUT -m owner --uid-owner nobody -p tcp --dport 80 -j MARK --set-mark 1
along with the appropriate IP rule:
[user@box ~]# ip rule
0: from all lookup local
32764: from all fwmark 0x1 lookup guest
32765: from 10.1.49.0/24 lookup guest
32766: from all lookup main
32767: from all lookup default
Everything works as expected except one issue: Everytime the linux router initiates a RST for old/stale connections, the RSTs route via the default routing table (along with the wrong IP address too, from the wrong interface).
The RST packets are obviously tcp, destined to port 80, and one would think they're owned by user "nobody" since the connections belong to Squid. So any idea why RST packets are not abiding by my mangle rule above? Or any other ideas on how to troubleshoot and/or resolve this issue?