Hi, I am having difficulties to transfer the zorp tutorial iptables setup to the new tproxy version without the tproxy table. This is the setup in iptables-save/restore syntax found at balabit's website (https://www.balabit.com/network-security/zorp-gateway/gpl/tutorial/): *tproxy :PREROUTING ACCEPT :OUTPUT ACCEPT :PRintra - :PRinter - :PRdmz - -A PREROUTING -i IFintra -j PRintra -A PREROUTING -i IFinter -j PRinter -A PREROUTING -i IFdmz -j PRdmz // PRintra chain -A PRintra -p tcp --dport 80 -j TPROXY --on-port 50080 -A PRintra -p tcp --dport 443 -j TPROXY --on-port 50443 -A PRintra -p tcp --dport 21 -j TPROXY --on-port 50021 // PRinter chain -A PRinter -p tcp --dport 80 -j TPROXY --on-port 50080 // PRdmz chain // no services permitted COMMIT *filter :INPUT DENY :FORWARD DENY :OUTPUT ACCEPT :noise - :spoof - :spoofdrop DROP :LOintra - :LOinter - :LOdmz - -A INPUT -j noise -A INPUT -j spoof // permit all traffic initiated by transparent proxies -A INPUT -m tproxy -j ACCEPT // // permit all TCP traffic initiated by local processes, or allowed by rules // below, we don't trust the state match for UDP traffic, they will be handled // by individual rules below. // -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT // permit all loopback traffic -A INPUT -i lo -j ACCEPT -A INPUT -i IFintra -j LOintra -A INPUT -i IFinter -j LOinter -A INPUT -i IFdmz -j LOdmz -A INPUT -j DROP -A FORWARD -j LOG --log-prefix "FORWARD DROP: " -A FORWARD -j DROP // LOintra -A LOintra -p udp --dport 53 -j ACCEPT -A LOintra -p udp --dport 123 -j ACCEPT -A LOintra -p tcp --syn --dport 25 -j ACCEPT -A LOintra -j LOG --log-prefix "LOintra DROP: " -A LOintra -j DROP // LOinter // permit DNS replies, bind is configured to send out DNS packets from this // port. We could also use the state match in our INPUT chain. -A LOinter -p udp -s DNS_SERVERS --dport 53000 -j ACCEPT -A LOinter -p udp -s NTP_SERVERS --dport 123 -j ACCEPT -A LOinter -p tcp --syn --dport 25 -j ACCEPT -A LOinter -j LOG --log-prefix "LOinter DROP: " -A LOinter -j DROP // LOdmz -A LOdmz -p udp --dport 53 -j ACCEPT -A LOdmz -p udp --dport 123 -j ACCEPT -A LOdmz -p tcp --syn --dport 25 -j ACCEPT -A LOdmz -j LOG --log-prefix "LOdmz DROP: " -A LOdmz -j DROP // // noise chain, should drop all packets which need not be logged, // otherwise it should return to the main ruleset // -A noise -p udp --dport 137:139 -j DROP -A noise -j RETURN // // spoof chain, should drop all packets with spoofed source address // otherwise it should return to the main ruleset // -A spoof -i lo -j RETURN -A spoof ! -i lo -s 127.0.0.0/8 -j spoofdrop -A spoof -i IFintra ! -s NETintra -j spoofdrop -A spoof ! -i IFintra -s NETintra -j spoofdrop -A spoof -i IFdmz ! -s NETdmz -j spoofdrop -A spoof ! -i IFdmz -s NETdmz -j spoofdrop -A spoof -j RETURN // -A spoofdrop -j LOG --log-prefix "Spoofed packet: " -A spoofdrop -j DROP COMMIT I tried to do the tproxy table stuff in mangle but did not succeed. All packets are dropped. Apart from that I do not know how to replace -A INPUT -m tproxy -j ACCEPT. I really hope someone can help me. Thanks Tim -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer