Register a domain and help support LQ
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 12-28-2012, 04:07 PM   #1
Registered: Aug 2006
Posts: 95

Rep: Reputation: 21
Policy based routing, IPTables mangle and RST packets

RST packets do not abide by my IPTables mangle rule, thus do not get routed properly (due to policy based routing).

The policy based routing is done by source address, specifically if packets originate from range, use the "guest" routing table. All other traffic uses the default routing table.

There is also a transparent Squid proxy running on this Linux router. By design, Squid intercepts the client requests to port 80 and establishes the connections directly to web servers itself. Therefore, traffic destined to port 80 essentially originates from the linux router, not This means that all port 80 traffic used the default route, regardless of where the actual orignal request came from (ie range).

Squid runs as nobody user, so marking said traffic is fairly simple and I fixed the issue with:

iptables -t mangle -A OUTPUT -m owner --uid-owner nobody -p tcp --dport 80 -j MARK --set-mark 1
along with the appropriate IP rule:

[user@box ~]# ip rule
0:      from all lookup local
32764:  from all fwmark 0x1 lookup guest
32765:  from lookup guest
32766:  from all lookup main
32767:  from all lookup default

Everything works as expected except one issue: Everytime the linux router initiates a RST for old/stale connections, the RSTs route via the default routing table (along with the wrong IP address too, from the wrong interface).

The RST packets are obviously tcp, destined to port 80, and one would think they're owned by user "nobody" since the connections belong to Squid. So any idea why RST packets are not abiding by my mangle rule above? Or any other ideas on how to troubleshoot and/or resolve this issue?
Old 12-29-2012, 05:03 AM   #2
Registered: Nov 2012
Location: Bangalore
Distribution: Fedora & Ubuntu
Posts: 77

Rep: Reputation: 18

Just enable logging in the chains as the first rule and check, it will help you to find the route cause.

Eg:- iptables -t mangle -I OUTPUT 1 -j LOG --log-level 4



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Policy Routing - packets going out wrong device BRonkBMI Linux - Networking 1 09-26-2012 02:43 PM
policy routing packets sourced from local host. fs142 Linux - Networking 1 05-05-2012 02:59 PM
Multi-WAN Problem with IPROUTE2/IPTABLES - Packets disappear between MANGLE & NAT alpharomeo31 Linux - Kernel 2 10-18-2011 10:12 AM
Policy based routing, leaking packets tetra Linux - Networking 0 04-22-2009 03:15 AM
help with policy based routing GaijinPunch Linux - Networking 4 06-19-2005 07:35 PM

All times are GMT -5. The time now is 12:20 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration