Dear Amos, Thanks a lot! By looking at your URL, I have enter the following commands in my squid3 machine (my HTTP service is at PORT 8080), the squid3 proxy machine is at 10.0.3.1, HTTP server (noder) is at 10.0.2.1, HTTP client (nodes) is at 10.0.1.1: yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -s 10.0.3.1 -p tcp --dport 8080 -j ACCEPT yeung@nodec1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.0.3.1:3128 yeung@nodec1:~$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE yeung@nodec1:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP yeung@nodec1:~$ sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination ACCEPT tcp -- nodec1-tblink-l9 anywhere tcp dpt:http-alt DNAT tcp -- anywhere anywhere tcp dpt:http-alt to:10.0.3.1:3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination yeung@nodec1:~$ sudo iptables -t mangle -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere tcp dpt:3128 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination However, the proxy still has some problem, when we start wget from the HTTP client yeung@nodes:~$ wget 10.0.2.1:8080 --2012-03-04 09:31:39-- http://10.0.2.1:8080/ Connecting to 10.0.2.1:8080... ^C yeung@nodes:~$ We look at the TCPDUMP result at squid3 machine (10.0.3.1), we see the following message: 09:31:39.384558 IP nodes-links.51902 > noder-linkr.http-alt: Flags [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val 38022185 ecr 0,nop,wscale 6], length 0 09:31:42.379034 IP nodes-links.51902 > noder-linkr.http-alt: Flags [S], seq 2501418596, win 5840, options [mss 1460,sackOK,TS val 38022935 ecr 0,nop,wscale 6], length 0 It seems that there were some HTTP-alt traffic coming in from the switch, but no HTTP traffic going out of the squid3 machine. I am really sorry for continuing this problem. Best regards! On Fri, Mar 2, 2012 at 7:39 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 3/03/2012 12:51 p.m., pplive wrote: >> >> Dear all, >> >> I try to configure a transparent web proxy through squid 3, here is >> the network topology >> >> Users -> Switch -> Internet >> >> Users means a couple of PCs, all of them have public IP, all of them >> are connected to a switch. One PC among them is designed to be a proxy >> machine. The switch is programmable, thus for the TCP packets with >> destination address 80, it can be re-directed to the proxy machine. >> For other packets, it will be forwarded further to the Internet. The >> programmable switch has been tested and works well. >> >> The proxy machine has installed squid3, the listening port is 3128, >> and we have configure 'http_port 3128 transparent' in squid.conf . One >> problem is this machine has only one NIC (eth0), thus we can not use >> the method proposed in >> >> http://freecode.com/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables >> (using a bridge) >> >> I have tried several iptable settings, such as >> >> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT >> --to-port 3128 >> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to >> xx.yy.zz.ii:3128 >> >> Neither of them works. > > > There are several other iptables rules involved, along with sysctl > requirements. See > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat > > the Squid 3.1 ptions is "intercept" for NAT interception proxy. Transparent > proxy is something else. > > If you have any other problems after fixing all that check the switch is > bypassing the redirect when the packets for port 80 come *out* of the squid > box. > > Amos