For testing purposes I've reduced it to the following: http_port 3128 intercept #dns_v4_first on dns_nameservers 10.8.2.3 194.168.4.100 10.8.2.2 8.8.8.8 acl wifi src 10.8.14.0/24 acl all src all http_access allow all maximum_object_size 1 GB minimum_object_size 0 KB maximum_object_size_in_memory 4 MB cache_mem 1700 MB cache_dir aufs /var/cache/squid 40000 32 512 coredump_dir /var/cache/squid access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user asd cache_effective_group asd cache_mgr jsayce@xxxxxxxxxxxxxxx forwarded_for off The version is 3.5.12 Okay. Sorry, to clarify with a specific example. Lets say I'm contacting http://1.1.1.1/ then the ack packet starts off with the client with ip address 10.8.14.9 in subnet 10.8.14.9/24 with default gateway 10.8.14.1. It's routed through my core switch to my my firewall with ip 10.8.1.1. My firewall recognises that the packet has a destination port 80 and is in subnet 10.8.14.0/24 and changes the destination address to be that of my proxy server 10.8.2.11. So now the ack packet has source 10.8.14.9 and destination 10.8.2.11. How does iptables know to reply to my client 10.8.14.9 with source address 1.1.1.1? Does iptables know to read the header? Thanks -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Antony Stone Sent: 07 September 2016 10:27 To: 'squid-users@xxxxxxxxxxxxxxxxxxxxx' Subject: Re: Transparent Proxy On Wednesday 07 September 2016 at 10:51:49, John Sayce wrote: > I believe so. The specific command I used was: > > iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT > --to-port 3128 > > (For some reason my adapter is ens33, I have no idea why it's not eth0. > Squid is set to run on 3128.) That looks okay, then. > It's fair to say I have almost no experience with iptables. Is it > iptables that should be doing the address translation? Yes - the rule above tells the machine to take any packet addressed to port 80 on any address and send it instead to the local machine (REDIRECT changes the destination address to 127.0.0.1, even though that's not obvious) and port 3128. > when the packet is sent back to the client? Correct. IPtables' address translation rules are automatically symmetrical - when a packet gets translated in one direction, a record is kept that it was done, and then the reply packet is automatically reverse-translated when it comes back in the other direction. This is true no matter whether packets are going *through* the IPtables machine (ie: it's acting as a router), or whether they're being processed *on* the IPtables machine (as in this case). I think we need to know more about your squid setup. Please tell us which version of squid you are using, and post here your squid.conf file without comments or blank lines. Antony. -- Software development can be quick, high quality, or low cost. The customer gets to pick any two out of three. Please reply to the list; please *don't* CC me. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users