> -t nat -A PREROUTING -i eth0 -d ! $INT_ROUTER_IP -p tcp --dport 80 -j > REDIRECT --to-ports 3128 > -A INPUT -i eth0 -d $INT_ROUTER_IP -p tcp --dport 3128 -J REJECT > > TCP SYN have external ip dst_ip. the TCP SYN to port 80 has the dst IP of the web server on the internet. the redirected packet to TCP port 3128 has the dst IP of the redirected interface (eth0 in this case). your suggested REJECT rule will reject all redirected traffic to port 3128, and is essentially the issue the OP had already run into, and was asking for a work-around. -j
