So I may have an iptables problem... This is what I get in dmesg when I put in my iptables rules: 376.170216] ip_tables: (C) 2000-2006 Netfilter Core Team [ 376.272658] NF_TPROXY: Transparent proxy support initialized, version 4.1.0 [ 376.272673] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd. These are the iptables rules that I am using, copied straight from the wiki: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 I also do the following: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward Am I missing a step? I would suspect that after I do all of this I would at least see some packets hitting the box on 3129. Thanks, --Joe -----Original Message----- From: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] Sent: Monday, November 02, 2009 8:52 PM To: Roth, Joe Cc: Amos Jeffries; squid-users@xxxxxxxxxxxxxxx Subject: RE: Squid + WCCP + TProxy mån 2009-11-02 klockan 09:23 -0500 skrev Roth, Joe: > I compiled 3.1.0.14 with the --enable-linux-netfilter option and > installed. > Is there any way for me to check that squid is properly enabling the > kernel option? The needed kernel option is enabled by iptables, not Squid. The compile + http_port options just tells Squid to query the kernel a little extra to get the actual address info. The actual intercept will work even without any of that, just that the result may not be entirely the expected.. REgards Henrik
