I know what your trying to do.. there is no way really as even large ISPs who use TProxies don't do this and when you browse some sites they say "Hey, your from <insert IP here>" and it's not yours... The reason it won't work is that once REDIRECT runs it enters Squid immediately and squid then takes over and you can't change the address. If you SNAT it first, then it just goes out and the REDIRECT won't activate.. You'd basically have to write your own netfilter module which does this and maybe it could work.. eg. iptables -A PREROUTING -t nat -i $INTDEV -p tcp --dport 80 -m SNEAKYMODULE --use_orig_source -j REDIRECT --to-port 3128 that would be nice.. ;) Some websites are now smarter and they ignore HTTP_REMOTE server variables because they also see a X_HTTP_FORWARDER variable which the proxy adds to the header as showing the REAL source of the request.. this is usually the client not the proxy IP.. but it's up to the website to know this.. -----Original Message----- From: Paul Clark [mailto:paul@xxxxxxxxx] Sent: Saturday, May 24, 2003 3:07 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: REDIRECT after SNAT? Hi, Is there any way to force a REDIRECT to (e.g.) a local Web server _after_ SNAT has been done? I have a Truly Evil Scheme to map VLANs to SNAT address ranges, and I want it to work with a transparent proxy -on the same device- (I'm pretty sure it would work fine split across two devices). The problem is that the SNAT has to happen in nat:POSTROUTING, and REDIRECTs have to happen in nat:PREROUTING - so by the time my Evil SNAT Hackery has happened, it's too late to force it to the local machine. Is there such a thing as a 'retry this packet from the beginning' target? Thanks in advance Paul