Hi, I am writing a proxy program using tproxy features to provide transparent proxy on linux platform. the previous version of the proxy is running on kernel 2.6.17 + tproxy2, the new version is running on kernel 2.6.28 + tproxy4. the simple net topo looks like this: 192.168.0.1(client) -> 192.168.0.2:80(eth0)-192.168.10.1(eth1) -> 192.168.10.1(server running apache2) with tproxy2, all i have to do is to add the following code: * modprobe iptable_tproxy * modprobe ipt_tproxy 1) accept client connection 2) determine which address to bind. in the case above, it is 192.168.10.1 3) assign client address and set connect flag on socket /* create socket connectsockfd */ .... /* bind connectsockfd to 192.168.10.1 */ .... /* assign client address */ itp.op = TPROXY_ASSIGN; itp.v.addr.faddr = client_addr.in.sin_addr; itp.v.addr.fport = 0; if (setsockopt(connectsockfd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { s_log(LOG_NOTICE, "error assigning foreign address: %s", inet_ntoa(client_addr.in.sin_addr)); sockerror("setsockopt(SOL_IP, IP_TPROXY, TPROXY_ASSIGN)"); longjmp(c->err, 1); } s_log(LOG_NOTICE, "TPROXY: assigned foreign address: %s", inet_ntoa(client_addr.in.sin_addr)); /* set connect flag on socket */ itp.op = TPROXY_FLAGS; itp.v.flags = ITP_CONNECT|ITP_ONCE; if (setsockopt(connectsockfd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { sockerror("setsockopt(SOL_IP, IP_TPROXY, TPROXY_FLAGS)"); longjmp(c->err, 1); } // then connect to server as usual ** no special iptables rules need to be set, the transparent proxy just works. ** with tproxy4, i tried the following code: * modprobe xt_TPROXY (module nf_tproxy_core is automatically loadded) * create listen socket listensockfd * setsockopt(listensockfd) to make it transparent (IP_TRANSPARENT) * bind(listensockfd) to 192.168.0.2:80 * listen(listensockfd) as usual accept() as usual, then for the outbound socket: * create socket connectsockfd * setsockopt(connectsockfd) to make it transparent (IP_TRANSPARENT) * bind(connectsockfd) to 192.168.10.1:0 * connect(connectsockfd) as usual but the transparent proxy doesn't work. the server access.log still shows that the connections are from 192.168.10.1. my question is: Are those special iptables rules (http://wiki.squid-cache.org/Features/Tproxy4#iptables_1.4.3_Configuration) must be set while using tproxy4? I really do not want my user to setup any special iptables rules for my proxy to work as transparent. thanks very much!