From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx> Thanks for the quick response :- > > Most common failure like this requires 'you need to patch the kernel', but > it sounds like that's been done. > Yupe this has been done. > Next step is seeing what tcpdump shows about the two types of traffic. > And possibly what type of router/balancer is doing the splitting? > This has been done too. Very clearly, tcpdump shows that for the none NAT-ed leg, the identity of the original requests have been spoofed, but the bad thing is that, it also spoofed the NAT-ed leg as well despite there is a POSTROUTING rule to do SNAT in the nat table. Seems to me the 'tproxy' directive in squid makes iptables nat POSTROUTING SNAT useless ! > > PS. Do you HAVE to use tproxy? YES. It works if I don't use it together with nat. > If the NATing isn't a problem you could use > a plain intercepting/transparent proxy and have remote sources down both > streams see the squid IP as the source of requests. > That will be undesirable for the none-NAT-ed leg because the traffic will head towards an firewall will screen/filter the outgoing traffic based on the source IPs.