Thanks so much for the replies. I haven't had a chance to test whether the: iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j ACCEPT will solve my interception problem yet. I worked on the server for a few days while it was down and have new and bigger problems now. Where's the nearest pile of sand :( I built BIND, since our DNS queries are one of the biggest problems. It's set up as a caching nameserver only. I started getting 111 connection refused errors from squid on most links. Watching the logs, I discovered that squid was following the timing of BIND's error of: timeout, disabling EDNS. I remember from some point in the past someone mentioning that BIND (latest) will do this if ipv6 is not configured, and someone else mentioning that building it with --disable-ipv6 was the answer. I have no ipv6 support in the kernel or any apps I've built. Are the EDNS errors from bind killing squid requests (about 2 seconds)? Is disabling ipv6 in the BIND build the solution? How do I enable about a 30 second timeout for all DNS requests? I have been all over the bind manual, but this stuff isn't in there (nudge, BIND writers). I know this is the squid list, but in this case they're joined at the hip. I am now isolated from the server for a few days, but will be expected to return with answers. Any help is MUCH appreciated. I will post my squid.conf, named.conf, and rc.iptables next time around if needed. If I don't return with things ready to go I'll be tarred, feathered, and thrown out into the desert to swelter and rot (only slightly exaggerating). Thanks, Jason
