> I have the following setup: CAPS = Device / Machine > > - ROUTER: WAN Address: xxxxxxxxx LAN Address: 192.168.40.1 > - IPTABLES: 1 LAN Interface 192.168.40.5 (Gateway: 192.168.40.1) > - PROXY: 1 LAN Interface 192.168.40.10 (Gateway: 192.168.40.5) These only have 1 interface each ? Are you connecting all the machines (clients too) to a hub or switch ? > I have a number of other machines also on the 192.168.40/24 network who all > have their GW set to 192.168.40.5. What I want NETFILTER to do is the > following: > > - Have a transparent proxy such that any port 80 connections from > these machines get processed by PROXY on port 3128 If iptables is not doing NAT, then what is it for with 1 NIC ? You could as well set the default gateway of the workstations to 192.168.40.1 and configure the webbrowsers to use the proxy at 192.168.40.10. So you can skip the iptables box. Anyway, not sure if it will work but you can try this : iptables -P FORWARD DROP iptables -A FORWARD -m state --state RELATED,ESTABLISHED \ -j ACCEPT iptables -A FORWARD -s 192.168.40.0/24 -d 192.168.40.10 -p tcp \ --dport 3128 -j ACCEPT iptables -t nat -A PREROUTING -s 192.168.40.0/24 -p tcp \ --dport 80 -j DNAT --to-destination 192.168.40.10:3128 echo 1 > /proc/sys/net/ipv4/ip_forward > - Allow all established connections from these machines to be allowed > out via 192.168.40.1 otherwise disallowed > - IPTABLES to do no NAT as that is already being done by ROUTER Don't use any SNAT/MASQUERADE rules. Then it won't NAT. Gr, Rob
