After plaing with netfilter and squid on my home network (shhh! don't tell the roomate! :) to get a transparent proxy/cache setup, I'm trying to do a similar setup at work. At home the firewall and squid box are the same machine, so setting it up isn't too hard to figure out. Here at work, things are a bit more difficult because the squid box isn't the same box as the firewall. This is further complicated by the fact that the squid box is on the internal network, behind the firewall so simply redirecting web traffic from the firewall to the squid box would create a loop. The thought came to me while sitting in traffic (interesting how car fumes give you sparks or genius and/or insanity.) If I first allowed web traffic from the squid box, then redirected everyone else back through the squid box, things should work, right? Well, maybe not. So I'm in need of a sanity check: First, the iptables rules I added were: iptables -t nat -A PREROUTING -i eth1 -p tcp -s 192.168.1.1 --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i eth1 -p tcp -s ! 192.168.1.1 --dport 80 -j REDIRECT --to 192.168.1.1 --to-port 3128