That link http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat was helpful Amos. Though instead of a mangle INPUT chain rule(as mentioned in the link) in iptables I had to add a mangle PREROUTING Chain rule in iptables as follows iptables -t mangle -A PREROUTING -p tcp -i ! lo --dport 3128 -j DROP This rule gets is allowing cachemgr access to port 3128 while deny access to port 3128 from other machines. The link http://www.faqs.org/docs/iptables/traversingoftables.html tells that mangle PREROUTING table chain is traversed first than nat PREROUTING table. DO we need to modify the text in there? Regards, Saurabh -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Thursday, March 31, 2011 6:28 PM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: Squid as only a transparent cache On 01/04/11 00:43, Saurabh Agarwal wrote: > I want Squid to behave only as a transparent caching proxy. We are making all traffic go through a bridge box which runs squid. > I want that no user can explicitly use squid as a proxy cache by configuring proxy cache settings in the browser. Only traffic that is routed through the bridge box gets transparently intercepted for caching. Okay. This is more of a firewall problem than a Squid one. Do you use iptables? I've added the "mangle" tables rules that do this to the example configuration: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat (works for DNAT, REDIRECT and TPROXY capturing). I'm not sure about other firewalls. The criteria of when the block needs to happen in the packet flow is outlined in that wiki page. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5