With current versions of TPROXY you should not do REDIRECTs. You should do something like this: -A DIVERT -j MARK --set-xmark 0x1/0xffffffff -A DIVERT -j ACCEPT -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip <proxy server IP> --tproxy-mark 0x1/0x1 Redirects will work in some cases, but should not be used with WCCP and recent versions of TPROXY. My experience has been that doing a redirect alone will not always work depending on the version of TPROXY/IPTABLES, and Cisco IOS. YMMV, Nick -----Original Message----- From: Horacio H. [mailto:pokehorace@xxxxxxxxx] Sent: Wednesday, October 05, 2011 9:12 AM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: WCCP transparent proxy Hi, You're missing a few things. Please review the FAQ again, here are some hints: 1) Make sure there are no firewalls between your Squid and router (WCCP). 2) Make sure the GRE module is loaded: modprobe ip_gre echo ip_gre >> /etc/modules 3) Create a GRE interface: ip tunnel add gre1 mode gre local <squid-ip-address> ip addr add <squid-ip-address>/32 dev gre1 ip link set gre1 up 4) Add a redirect rule in iptables: iptables -t nat -A PREROUTING -i gre1 -j REDIRECT --redirect-to <squid-listening-port> 5) Make sure Squid was compiled with WCCP-v2 support. 6) WCCP-v2 squid's configuration: wccp2_router <router-ip-address> 7) WCCP-v2 router's configuration: access-list 160 deny ip host <squid-ip-address> any access-list 160 permit tcp <net> <wildcard> any eq 80 ip wccp version 2 ip wccp web-cache redirect-list 160 interface FastEthernet0/0 ip wccp web-cache redirect in Regards, Horacio.
