From: "Laszlo Attila Toth" <panther@balabit.hu>
In 4.0.3 the fwmark is not used by tproxy, another value is used for it: sk_buff.tproxy
With the tproxy match it should work, currently I don't see what can be the problem. The policy/fwmark usage is propably independent from it.
You are right, it might not be 'tproxy' at all. Because when squid makes a outbound connection, the modified squid will use IP_FREEBIND to spoof an outgoing IP. There is no tproxy redirect involved at all. It's purely an outbound connection binded to a foreign IP using IP_FREEBIND. I have a little program which I used to simulate this behaviour ( which I also used it to verify the SNAT problem as well ). To invoke the program :- # ./spoof 192.168.1.5 72.14.235.99 where 192.168.1.5 is the IP I want to spoof, and 72.14.235.99 is the IP where I have web services available to verify the return path. I have used www.google.com in this example. If I flush the mangle OUTPUT chain, I could spoof the IP and get a reply from google. If I have something which MARKs the outgoing packet, the program 'spoof' will hang. The (arbitrary ) iptables command I used :- iptables -t mangle -A OUTPUT -j MARK --set-mark 5 But it can be any other MARKs as well. Regards.