On Fri, 2008-03-28 at 22:04 +0100, admin@xxxxxx wrote: > Hello, > > I'm using Squid Cache: Version 2.6.STABLE18 > > Is there posibility to use it as fully transprent proxy (with tproxy) but > without bridging interfaces? Yes, but you must make sure the proxy sees all HTTP traffic in both directions. (both outgoing request, and incoming responses). > to routers a,b... are connected clients. On that routers I have DNAT > --to-destiation squid:80 Don't DNAT on the other routers, instead policy route the connections using CONNMARK and ip policy rules.. i.e. something like the following on the client routers: iptables -t mangle -A PREROUTING -i clientinterface -m state --state NEW -p tcp --dport 80 -j CONNMARK --set-mark 1 iptables -t mangle -A PREROUTING -i clientinterface -j CONNMARK --restore-mark ip route add table 100 default via ip.of.squid.server ip rule add fwmark 1 via lookup 100 And on the upstream router (router 0) similar rules routing incoming packets with source port 80 to the proxy server instead of the client... iptables -t mangle -A PREROUTING -i insideinterface -m state --state NEW -p tcp --dport 80 -j CONNMARK --set-mark 1 iptables -t mangle -A PREROUTING -i outsideinterface -j CONNMARK --restore-mark ip route add table 100 default via ip.of.squid.server ip rule add fwmark 1 via lookup 100 Regards Henrik
