Linux iptables includes that ability to mark individual network packets with a "firewall mark". Additionally there is a component called "conntrack" which tries to string sequences of related packets together into a "connection" (it even relates sequences of UDP and ICMP packets). There is a related mark for a connection called a "connection mark". Marks can be copied freely between the firewall and connection marks Using these two features it become possible to tag all related traffic in arbitrary ways, eg authenticated users, traffic from a particular IP, port, etc. Unfortunately any kind of "proxy" breaks this relationship because network packets go in one side of the proxy and a completely new connection comes out of the other side. However, sometimes, we want to maintain that relationship through the proxy and continue the connection mark on packets upstream of our proxy Dnsmasq includes such a feature enabled by the --conntrack option. This allows, for example, using iptables to mark traffic from a particular IP, and that mark to be persisted to requests made *by* Dnsmasq. Such a feature could be useful for bandwidth accounting, captive portals and the like. Note a similar feature has been implemented in Squid 2.2 As an example consider the following iptables rules: 1) iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark 2) iptables -t mangle -A PREROUTING -m mark --mark 0 -s 192.168.111.137 -j MARK --set-mark 137 3) iptables -t mangle -A PREROUTING -j CONNMARK --save-mark 4) iptables -t mangle -A OUTPUT -m mark ! --mark 0 -j CONNMARK --save-mark 1-3) are all applied to the PREROUTING table and affect all packets entering the firewall. 1) copies any existing connection mark into the firewall mark. 2) Checks the packet not already marked and if not applies an arbitrary mark based on IP address. 3) Saves the firewall mark back to the connection mark (which will persist it across related packets) 4) is applied to the OUTPUT table, which is where we first see packets generated locally. Dnsmasq will have already copied the firewall mark from the request, across to the new packet, and so all that remains is for iptables to copy it to the connection mark so it's persisted across packets. Note: iptables can be quite confusing to the beginner. The following diagram is extremely helpful in understanding the flows http://linux-ip.net/nf/nfk-traversal.png Additionally the following URL contains a useful "starting guide" on linux connection tracking/marking http://home.regit.org/netfilter-en/netfilter-connmark/