Suppose you have a complex internal network and that some members in the local area network have different WAN IP addresses and they masquerade your traffic. Also, on your local network you have a Squid server and you want to route the traffic to some domains through some of the other LAN participants and through their WAN IP addresses. The server that Squid is on does not have an external interface, such that Squid cannot be configured using the tcp_outgoing_address configuration option. In that case, your best option is to use the tcp_outgoing_mark Squid configuration option and mark packets such that they can be routed using advanced Linux routing to the various LAN members that have WAN IP addresses and masquerade your traffic.

First create an ACL for each client that has a WAN IP address:

acl out_a dstdom_regex "/etc/squid3/out_a.conf"

where:

• out_a is the ACL name,
• dstdom_regex "/etc/squid3/out_a.conf" defines a list of domains placed at /etc/squid3/out_a.conf for which the ACL will apply.

Then, tell Squid to mark the packets that match that ACL:

tcp_outgoing_mark 0x10 out_a

where:

• 0x10 is the hexadecimal representation of the iptables mark,
• out_a is the ACL for which packets will be marked.

This would have to be done for every LAN client that has a WAN IP address and you would like to use. It would result in something like the following example:

# Connection WAN "a"
acl out_a dstdom_regex "/etc/squid3/out_a.conf"
tcp_outgoing_mark 0x10 out_a
# Connection WAN "b"
acl out_b dstdom_regex "/etc/squid3/out_b.conf"
tcp_outgoing_mark 0x20 out_b

Now that we have established the marks, they will have to be defined in /etc/iproute2/rt_tables where we will add those marks in their decimal counterparts and a descriptive name (a and b here):

16    a
32    b

Now we add a route for the table a (corresponding to 192.168.1.2 on the diagram):

ip route del default via 192.168.1.2 table a

and a rule that will send marked packets with 16 (0x10 in hexadecimal, corresponding to table a) to 192.168.1.2:

ip rule add fwmark 16 lookup a

The same configuration will be made for the table b such that in the end we would obtain the configuration:

ip route del default via 192.168.1.2 table a
ip rule add fwmark 16 lookup a
ip route del default via 192.168.1.4 table b
ip rule add fwmark 32 lookup b

The final step to make sure is that on the LAN clients with WAN IP addresses a and b the traffic from the internal network is masqueraded using iptables. For instance, if client a would have eth0 as the WAN IP address 198.81.128.45, we would write:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

and similarly for client b.