Make sure you have setup triangle routing correctly. your squid act as bridge ? or act as router/gateway with dual interface ethernet ? or standalone server with single ethernet. option 1 and 2, doesn't need routing setup, traffic incoming and outgoing must hit the squid box. But for option 3, you should setup your router to make sure outgoing traffic to port 80 should hit the squid first, and forward to internet, and the reply traffic from internet should come back to squid box before forwarded to client. 2010/4/1 Kurt Sandstrom <sandmanaz@xxxxxxxxx>: > I have the following in startup.... > > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > > The ouput of ip route show table 100: local default dev lo scope host > > One other thing is strange, my PREROUTING rules in mangle don't load > in my script. I have to manually add them. Timing issue perhaps? > > Startup script loded from rc.local: > > echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter > echo 1 > /proc/sys/net/ipv4/ip_forward > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY > --tproxy-mark 0x1/0x1 --on-port 3129 > ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp > --ip-dport 80 -j redirect --redirect-target DROP > ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp > --ip-sport 80 -j redirect --redirect-target DROP > cd /proc/sys/net/bridge/ > for i in * > do > echo 0 > $i > done > unset i > > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > > > 2010/3/31 Henrik Nordström <henrik@xxxxxxxxxxxxxxxxxxx>: >> ons 2010-03-31 klockan 09:47 -0700 skrev Kurt Sandstrom: >>> I have been unable to get TPROXY working correctly with squid. I have >>> used the steps in http://wiki.squid-cache.org/Features/Tproxy4 and re >>> checked everything. >>> >> >> I did not see your routing setup in the data you dumped. Without the >> routing configured then TPROXY won't intercept, just route like normal.. >> >> http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration >> >> Regards >> Henrik >> >> >