I'm in the process of adding some parental control to my box (http filtering).
The box is used by the whole family (one account for each member) and squid runs on the very same machine.
I have two squid instances, one (for adults) only for caching, one (for children) using squidGuard.
To choose between both squid instances, I use --uid-owner with NAT rules.
iptables -t nat -A OUTPUT -m owner --uid-owner $owner -p tcp -m tcp --dport 80 -j REDIRECT --to-ports $port
(ditto for ip6tables)
Currently I use NAT for both IPv4 and IPv6 (with a fairly recent linux kernel), but Squid says that "intercept" only supports IPv4. I would like to have IPv6 too.
I tried to use TPROXY (e.g. using these rules) but I failed because I need --uid-owner which iptables wants to set on POSTROUTING (not on PREROUTING).
Those rules are:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
How do I add appropriate --uid-owner rules in that mangle table? I mean, how do I decide to forward to port 3128 or 3129?
Edit: please don't answer saying that my NAT rule works well. I know that. I need to get rid of NAT because Squid's NAT is IPv4 only. So please, again, no NAT. Only TPROXY or mangle or whatever you call it that works with the mangle rules above.
Best Answer
You don't need
--uid-ownerinPREROUTING, you need it inOUTPUT(like in your example).