Hi,
I'm living in China which means while I have 10Mbs fibre connection to my apartment it is useless for http and httpd traffic. I pay for a VPN service that solves the problem by restoring the ability to access censored web sites such as Google. The problem is I don't want to send all my Internet traffic thru the VPN for several reasons. I run a CentOS 6 server as my gateway. On it I have:
eth0 - An Internet facing fibre with a static IP address.
eth1 - An internal facing LAN connecton on the traditional private range 192.168.1.x with the server at 192.168.1.3.
ppp0 - The PPTP VPN connection on the Internet with a different static IP address.

What I want is for all port 53, 80 and 443 traffic to go out to the Internet via the ppp0 interface and everything else via eth0. With Linux's powerful networking features you would think this would be easy, but after months of trying it is seeming increasingly difficult to the point I wondering if I should be looking at other OSes.

In order of increasing complexity (I like the KISS principle of problem solving):
1. I looked iptables but there is no rule, I could find, that say for destination port use a specific gateway or interface.

2. I looked at Squid on the gateway server but Squid can not be bound to a specific interface for external traffic.

3. Now it get complicated. I shutdown the ppp0 interface and squid on the gateway server. I built a second CentOS 6 server as a proxy server on the LAN at 192.168.1.5 with the ppp0 VPN on it as it's default gateway. It has the gateway server as it's route only to the VPN end point. On this second server I run Squid. This set up works well with Firefox and Chrome when they are manually set up to use it and it handles the http and httpd traffic well. However other apps, such as package managers etc still use the non-VPN'd interface. Also setting up proxies on older mobile devices is a pain.

4. To support all devices I attempted to set up transparent proxy on the gateway with the iptable rules:
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.5:3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.5:3128
-A POSTROUTING -j MASQUERADE
This works well for http traffic but not https which fails.

5. To simplify the https proxing (since I really only want routing) I installed tinyproxy on the proxy server at port 3130 and changes the gateway server iptable rules to:
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.5:3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.5:3130
-A POSTROUTING -j MASQUERADE
Again this works fine for manually configured browsers, but the https traffic fails, with a different error of 'ssl_error_rx_record_too_long'.

This post is already quite long so I wont fill it will config files now, but can post them as requested where someone has a suggestion of what path to try next. I really can't believe this should be this difficult but I find I am running out of ideas and would welcome some suggestions of what to try.

Thanks
David