On 18/07/2014 7:25 a.m., Nicolás wrote: > Ok, I'll try to explain the scenario again and more detailed (I remark > that I'm using this guide which states that it should work for public IP > addresses: http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource): > > Client side: Has public IP address A.B.C.D > Server side: Has public IP address E.F.G.H > > On the client side, I added the following iptables rule: > > iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination > E.F.G.H:3128 Okay. The situation seems clear now. This rule is capturing both the client UA output traffic and Squid output traffic. You need the rule omitting Squid from being catured. The config example should have mentioned it, I have added that now. iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport 80 -j ACCEPT Note the one you tried earlier and failed was in PREROUTING, not OUTPUT. This should be the correct one. NP: you could also use REDIRECT instead of DNAT if you want to avoid figuring out the server/client "side" IP address issues. But try the above iptables rule in your existing config first to confirm if it works before moving on to that change. <snip> > access.log: > > 1405623902.957 0 A.B.C.D TCP_MISS/403 4300 GET > http://google.es/ - HIER_NONE/- text/html > 1405623902.958 1 A.B.C.D TCP_MISS/403 4419 GET > http://google.es/ - HIER_DIRECT/E.F.G.H text/html > Note that these are in order of completion rather than order of initiation. The second line is the first request (cleint->server intercepted into Squid) the first line is the squid->server looped request. Amos