I think the error is in your first two rules for the PREROUTING chain in the NAT table: #-A PREROUTING -p tcp -m multiport --dports http,https,squid,svn,http-alt,webcache -j REDIRECT --to-port 8081 #-A PREROUTING -p tcp -m multiport --dports http,https,squid,svn,http-alt,webcache -j DNAT --to 192.168.1.1:8081 All WEB traffic will only hit the first rule and never the second. So the destination IP address doen't get changed. A packet for 1.2.3.4 on port 80 will be redirected to 1.2.3.4 port 8081. I think you should try something like this. Have apache proxy listen on localhost (127.0.0.1) port 8081 Iptables -t NAT -A PREROUTING -p tcp -i eth0(internal nic) -m multiport --dports http,https,squid,svn,http-alt,webcache -j REDIRECT --to 127.0.0.1:8081 -Sietse -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Nicolas Mailhot Sent: Sunday, June 04, 2006 10:10 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Transparent proxy setup with apache on the nat gateway Hi, I'm currently setting up a small LAN. The target hosts will be windows laptops, so all the smarts are in a single FC5 linux box connected to cable internet. So far I've managed to setup pretty much everything I needed (dns, dhcp, nat, smtp, webmail, spam-filter...) but I'm stuck on the transparent proxy stage. I've got the gateway apache configured as proxy on the lan-facing IP, and it works when configured manually in the laptop browsers, but I'm not getting any further. All the docs on the internet seem to focus on the squid-on-another-box scenario, and I'm failing to adapt them to my setup. Can anyone help me? (a big plus would be to make apache transparent proxy for the gateway itself, as it will double up as my own system) I've attached my current iptables rules if it can help. Regards, -- Nicolas Mailhot
