RE: [squid-users] CentOS/Squid/Tproxy but no transfer
I am experiencing the same issue. Traffic is received and acknowledged by the webserver, but the connection always times out. I had someone else take a look at my squid setup to see if it was something I was doing wrong, but it was suggested that it was a bug with wccp. I see you guys are running the newest IOS code on your router, and as the issue appears to be a WCCP bug ( Via the captures we did last night showing duplicate SYN/ACK packets ) I would suggest opening a case with Cisco to see what they can see. I am in the process of contacting Cisco about this so that they can take a look. I am using c7200-js-mz.124-25.bin on this router and am about to try the c7200-is-mz.124-25.bin (Non-enterprise) to see if it will make a difference. Alex -Original Message- From: Behnam B.Marandi [mailto:blix...@gmail.com] Sent: Sunday, July 12, 2009 10:10 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] CentOS/Squid/Tproxy but no transfer I Checked the packages using tcpdump and it seems that the router and cache machine have no problem communicating via WCCP: 8.061995 xx.xx.241.40 xx.xx.241.39 WCCP 2.0 Here I am 8.062036 xx.xx.241.40 xx.xx.241.39 WCCP 2.0 Here I am 8.065416 xx.xx.241.39 xx.xx.241.40 WCCP 2.0 I see you 8.066978 xx.xx.241.39 xx.xx.241.40 WCCP 2.0 I see you So there must be something wrong with GRE connection or Inbound/Outbound routing. Step 35 and related squid.conf's configuration in step 33 seems kinda tricky; Based on service identifier's config in squid.conf (step 33) and the Note following step 35 (ip wccp 80 redirect-list 122) I concluded that service identifier 80 is the service identifier of packets which are incoming from client to the router and therefore service identifier 90 is for packets which suppose to return to client. Configuration in this message confirms that; http://www.mail-archive.com/squid-...@squid-cache.org/msg04302.html Even though destination and source flags inversed in the configuration above (and it got three interfaces that I'm not sure about necessity of them), dedication of service identifiers changed as well; service identifier 80 changed to the gateway to Internet and service identifier 90 did set as client gateway. I did test all of these (with two interfaces but no traffic coming back to the client). Dead end! Any suggestion? ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1) ROM: C2600 Software (C2600-IS-M), Version 12.2(11)T8, RELEASE SOFTWARE (fc1) xx10.6 uptime is 1 day, 2 hours, 52 minutes System returned to ROM by power-on System image file is tftp://xx.xx.241.121/c2600-ipbasek9-mz.124-17.bin; Behnam. Ritter, Nicholas wrote: Behnam- The router is either not seeing the WCCP registration from the squid box, or the squid box is not seeing the ack from the router. Tom's suggestion of debug ip wccp is a good start. The IOS version makes a huge difference. Between revisions of IOS, WCCP works and/or breaks, so it is something you have to play with to know which IOS works. The specific 12.4 releases I have used work...but on a 26xx series router you may not have enough flash and/or RAM for 12.4. Nick
RE: [squid-users] Updated CentOS/Squid/Tproxy Transparency steps.
I am giving this one more try, but have been unsuccessful. Any help is always greatly appreciated. Here is the setup: Router: Cisco 7200 IOS 12.4(25) ip wccp web-cache redirect-list 11 access-list 11 permits only selective ip addresses to use wccp Wan interface (Serial) ip wccp web-cache redirect out Global WCCP information: Router information: Router Identifier: 192.168.20.1 Protocol Version: 2.0 Service Identifier: web-cache Number of Service Group Clients:1 Number of Service Group Routers:1 Total Packets s/w Redirected: 8797 Process:4723 Fast: 0 CEF:4074 Redirect access-list: 11 Total Packets Denied Redirect: 124925546 Total Packets Unassigned: 924514 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received:0 WCCP Client information: WCCP Client ID: 192.168.20.2 Protocol Version: 2.0 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment: 256 (100.00%) Packets s/w Redirected: 306 Connect Time: 00:21:33 Bypassed Packets Process:0 Fast: 0 CEF:0 Errors: 0 Clients are on FEthernet0/1 Squid server is the only device on FEthernet0/3 Squid Server: eth0 Link encap:Ethernet HWaddr 00:14:22:21:A1:7D inet addr:192.168.20.2 Bcast:192.168.20.7 Mask:255.255.255.248 inet6 addr: fe80::214:22ff:fe21:a17d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3325 errors:0 dropped:0 overruns:0 frame:0 TX packets:2606 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:335149 (327.2 KiB) TX bytes:394943 (385.6 KiB) gre0 Link encap:UNSPEC HWaddr 00-00-00-00-CB-BF-F4-FF-00-00-00-00-00-00-00-00 inet addr:192.168.20.2 Mask:255.255.255.248 UP RUNNING NOARP MTU:1476 Metric:1 RX packets:400 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:31760 (31.0 KiB) TX bytes:0 (0.0 b) /etc/rc.d/rc.local file: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 modprobe ip_gre ifconfig gre0 192.168.20.2 netmask 255.255.255.248 up echo 1 /proc/sys/net/ipv4/ip_nonlocal_bind /etc/sysconfig/iptables file: # Generated by iptables-save v1.4.4 on Wed Jul 1 03:32:55 2009 *mangle :PREROUTING ACCEPT [166:11172] :INPUT ACCEPT [164:8718] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [130:12272] :POSTROUTING ACCEPT [130:12272] :DIVERT - [0:0] -A DIVERT -j MARK --set-xmark 0x1/0x -A DIVERT -j ACCEPT -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 --on-ip 192.168.20.2 --tproxy-mark 0x1/0x1 COMMIT # Completed on Wed Jul 1 03:32:55 2009 # Generated by iptables-save v1.4.4 on Wed Jul 1 03:32:55 2009 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [160:15168] :RH-Firewall-1-INPUT - [0:0] -A INPUT -i gre0 -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -i eth0 -p gre -j ACCEPT -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -s 192.168.20.1/32 -p udp -m udp --dport 2048 -j ACCEPT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Wed Jul 1 03:32:55 2009 -squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl testing src 10.10.10.0/24 acl SSL_ports port
RE: [squid-users] TPROXY and wiki article working on CentOS 5.3
It would be really great if you could do that. Thank you, Alex -Original Message- From: Ritter, Nicholas [mailto:nicholas.rit...@americantv.com] Sent: Tuesday, June 23, 2009 8:25 PM To: Alexandre DeAraujo Cc: squid-users Subject: RE: [squid-users] TPROXY and wiki article working on CentOS 5.3 I had two separate problems with the setup that were both due to the ordering of rules in iptables. I am still testing one issue, which I just recently solved, and was not a squid/tproxy problem. And I am considering the task and need of upgrading the other components of iptables, such as conntrack-tools, etc. I can post the exact steps I used. Nick -Original Message- From: Alexandre DeAraujo [mailto:al...@cal.net] Sent: Tuesday, June 23, 2009 4:32 PM To: 'Ritter, Nicholas' Subject: RE: [squid-users] TPROXY and wiki article working on CentOS 5.3 Nicholas, I have been trying the exact same setup for quite some time now and am having nothing but troubles. If possible, could you give me the link to the exact wiki you used? Do you also have any pointers as to what I should watch out for? I really appreciate any help/pointers you can give. Thank you, Alex DeAraujo -Original Message- From: Ritter, Nicholas [mailto:nicholas.rit...@americantv.com] Sent: Tuesday, June 23, 2009 2:21 PM To: squid-users Subject: [squid-users] TPROXY and wiki article working on CentOS 5.3 I just started a task to upgrade our CentOS v5-based squid3/tproxy boxes utilizing the Wiki article that Amos wrote. Everything is working great and it was actually far easier to setup then it used to be. Amos, Laszlo, and Krisztian...you are amazing, and I wish to offer my sincere thanks to you guys for the work and talent that you give to the open source community. I am using the following software pieces to accomplish a WCCP-redirected TPROXY/transparent squid service in combination with Cisco routers: CentOS 5.3 x86_64 Squid 3.1.0.8 Iptables 1.4.3.2 Kernel 2.6.30 IOS Advanced Security 12.4(15)T8 on a 2811 (as the testbed router/ios combination) Amos- I can either create a new set of steps, this time more detailed and better tested, for TPROXY/SQUID on CentOS 5.3 to replace the current one that has my name on it, and/or add some details to the article you wrote. Nick
RE: FW: [squid-users] Tproxy Help // Transparent works fine
Does access.log say anything is arriving at Squid? Are you able to track the packets anywhere else? Amos Once the client tries to browse, the connection times out after 100-150 seconds and displays the error page: The following error was encountered while trying to retrieve the URL: http://www.msn.com/ Connection to 207.68.172.246 failed. The system returned: (110) Connection timed out The remote host or network may be down. Please try the request again. ..and the following message will show on the access.log(at the same time as the timeout page is showed on the browser) 1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET http://www.msn.com/ - DIRECT/207.68.173.76 text/html 1245254249.779 179970 192.168.10.3 TCP_MISS/504 4533 GET http://www.msn.com/ - DIRECT/207.68.173.76 text/html Nothing else will show in the access.log from the moment that the client tries to browse. The following is the output of 'iptables -I INPUT -p tcp -j LOG'. Here is everything from the time the client tries to browse to when the connection times out client ip = 192.168.10.3 squid ip = 192.168.20.10 msn.com ip = 207.68.172.246 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=192.168.20.10 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4652 DF PROTO=TCP SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=192.168.20.10 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4653 DF PROTO=TCP SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 ACK URGP=0 MARK=0x1 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=192.168.20.10 LEN=968 TOS=0x00 PREC=0x00 TTL=127 ID=4654 DF PROTO=TCP SPT=3920 DPT=3128 WINDOW=65535 RES=0x00 ACK PSH URGP=0 MARK=0x1 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46343 DF PROTO=TCP SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:20 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4655 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46344 DF PROTO=TCP SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:23 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4656 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:09:29 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46345 DF PROTO=TCP SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:29 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4660 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:09:41 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46346 DF PROTO=TCP SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:09:41 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4664 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:10:05 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46347 DF PROTO=TCP SPT=34661 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:10:05 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4673 PROTO=TCP SPT=34661 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:10:30 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32546 DF PROTO=TCP SPT=54114 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:10:30 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4683 PROTO=TCP SPT=54114 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:10:33 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32547 DF PROTO=TCP SPT=54114 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:10:33 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4684 PROTO=TCP SPT=54114 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:10:39 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32548 DF PROTO=TCP SPT=54114 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x1 Jun 17 10:10:39 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4688 PROTO=TCP SPT=54114 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 Jun 17 10:10:51 kernel: IN=wccp2 OUT= MAC= SRC=192.168.10.3 DST=207.68.172.246 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32549 DF PROTO=TCP SPT=54114 DPT=80 WINDOW=5840 RES=0x00 SYN
FW: [squid-users] Tproxy Help // Transparent works fine
-Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, June 15, 2009 9:21 PM To: Alexandre DeAraujo Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Tproxy Help // Transparent works fine Should just be an upgrade Squid to 3.1 release and follow the instructions at: http://wiki.squid-cache.org/Features/Tproxy4 Amos I downloaded and installed squid-3.1.0.8.tar.gz with the configure build option '--enable-linux-netfilter'. Made sure squid.conf was configured with http_port 3128 http_port 3129 tproxy The following modules are enabled on the kernel config file: NF_CONNTRACK NETFILTER_TPROXY NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_TARGET_TPROXY After typing the following lines: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 my iptables-save output: # Generated by iptables-save v1.4.3.2 on Tue Jun 16 16:16:27 2009 *nat :PREROUTING ACCEPT [33:2501] :POSTROUTING ACCEPT [1:76] :OUTPUT ACCEPT [1:76] -A PREROUTING -i wccp2 -p tcp -j REDIRECT --to-ports 3128 COMMIT # Completed on Tue Jun 16 16:16:27 2009 # Generated by iptables-save v1.4.3.2 on Tue Jun 16 16:16:27 2009 *mangle :PREROUTING ACCEPT [35:2653] :INPUT ACCEPT [158:8713] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [123:11772] :POSTROUTING ACCEPT [123:11772] :DIVERT - [0:0] -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 -A DIVERT -j MARK --set-xmark 0x1/0x -A DIVERT -j ACCEPT COMMIT # Completed on Tue Jun 16 16:16:27 2009 Then I entered the following lines: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 echo 1 /proc/sys/net/ipv4/ip_forward Client could not browse after that. I see the connections coming in with tcpdump, but all connections just timeout ps. after compiling squid-3.1.0.8, I did a search for 'tproxy' on the console screen and found this line: checking for linux/netfilter_ipv4/ip_tproxy.h... no I don’t know if this would have anything to do with it.. Thanks, Alex
[squid-users] Tproxy Help // Transparent works fine
I have a Transparent Proxy setup currently working and not seeing any problems while browsing. I am trying to setup squid to show client's IP instead of proxy server's IP. How do I go from this setup to implementing tproxy? Any pointers will be highly appreciated. CentOS release 5.3 (Final) iptables v1.4.3.2 Squid Cache: Version 3.0.STABLE16 Linux 2.6.29.4-tproxy2 (custom kernel for tproxy) Cisco 7206VXR WCCPv2 // start of squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl SSL_ports port 8443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 8443# Plesk acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet #http_access deny all http_access allow all http_port 3128 transparent hierarchy_stoplist cgi-bin ? hosts_file /etc/hosts refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 coredump_dir /var/spool/squid http_port 3129 logformat squid %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt #emulate_httpd_log on access_log /var/log/squid/access.log squid cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log debug_options ALL,3 no_cache allow our_networks cache_dir ufs /var/spool/squid 20 256 256 cache_effective_user squid cache_swap_high 100% cache_swap_low 80% cache_mem 2 GB maximum_object_size 8192 KB half_closed_clients on client_db off wccp2_router router primary IP on GEthernet wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service standard 0 forwarded_for on // end of squid.conf // start of /etc/rc.d/rc.local modprobe ip_gre iptunnel add wccp2 mode gre remote router wccp id IP address local eth0 IP address dev eth0 ifconfig wccp2 eth0 IP Address netmask 255.255.255.255 up echo 0 /proc/sys/net/ipv4/conf/wccp2/rp_filter # these are the ONLY iptables rules on the system at the moment(to avoid issues). iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i wccp2 -p tcp -j REDIRECT --to-port 3128 // end of rc.local Thanks, Alex DeAraujo