Have you setup ebtables to drop packet, ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP second hint, route all your network/netmask ip address to dev bridge, example: ip route add 192.168.100.0/24 dev br0 ip route add 10.0.0.0/8 dev br0 BUT, if you have router again below your bridge, you should define routing in your bridge. Because your box actually act as bridge and router. Act as router because you intercepted trafic to squid. So, when kernel will forward the traffic to network, they must know which interface to forward. 2010/4/2 Henrik Nordström <henrik@xxxxxxxxxxxxxxxxxxx>: > tor 2010-04-01 klockan 13:43 -0700 skrev Kurt Sandstrom: >> The bridging is working just not redirecting to the squid. I can see >> the counters increment for port 80 but nothing on the squid side. > > TPROXY has some quite peculiar requirements, and the combination with > bridgeing makes those even more complex. And is why I ask that you first > verify your TPROXY setup in routing mode before trying the same in > bridge mode. It's simply about isolating why things do not work for you > instead of trying to guess if it's the bridge-iptables integration, > ebtables, iptables TPROXY rules, routing, or whatever.. > > Regards > Henrik > >