It works!!!!!!!!!!! With this three lines: iptables -t nat -A PREROUTING -p tcp -d 172.16.0.0/16 --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp -d 10.34.0.0/16 --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp -i ! eth0 --dport 80 -j REDIRECT --to-port 3128 Thank you to all!!!! Elvis -----Mensaje original----- De: Jason Opperisano [mailto:Jopperisano@xxxxxxxxxxxxxxxx] Enviado el: miércoles, 11 de agosto de 2004 14:12 Para: Elvis Aaron Presley; Netfilter Asunto: RE: Newbie in a deep trouble!!! > > First I put this: > > iptables -t nat -A PREROUTING -p tcp -d ! 172.16.0.0/16 --dport 80 -j > REDIRECT --to-port 3128 > > Ok with this, the 10.34.x.x pcs can access to internet through the > proxy and can view the web pages of the 172.16.x.x pcs ... It works!!! > > Then I put this: > > iptables -t nat -A PREROUTING -p tcp -d ! 10.34.0.0/16 --dport 80 -j > REDIRECT --to-port 3128 > > With this, the 172.16.x.x pcs can access to internet through the > proxy and can view the web pages of the 10.34.x.x pcs ... It works > too!!! > > This commands works separately, but when I put the two at same time it > doesn't work. it's because 10.34.0.0/16 matches "-d ! 172.16.0.0/16" and 172.16.0.0/16 matches "-d ! 10.34.0.0/16" > Can anybody help me please???? i can try. your PREROUTING rules should be, in order: iptables -t nat -A PREROUTING -p tcp -d 172.16.0.0/16 --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp -d 10.34.0.0/16 --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp -i ! eth0 --dport 80 -j REDIRECT --to-port 3128 which allows traffic to 172.16.0.0/16 and 10.34.0.0/16 to pass without going through the squid proxy, and anything else received on either eth2 or eth1 to get redirected to the squid cache. -j