Hi, Having to very suddenly (due to hardware failure) upgrade an old 2.4 tproxy box to a stock 2.6 distro kernel box, I was faced with the problem of the upstream 2.6 kernel (and thus, the distro kernel) not supporting tproxy. REDIRECT functionality does work upstream, but TCP source address spoofing can only be achieved with iptables SNAT. So, I implemented a small module that can insert SNAT rules into nat/POSTROUTING, and our proxy (in-house program) now uses that instead of tproxy. This works well for us since we don't need all the other functionality that tproxy provides, but of course, YMMV. I've attached the code we use. It uses libiptc, and may look kind of weird since it was chainsawed from a (much) bigger piece of code, but you'll get the idea. (It flushes and inserts rules in POSTROUTING by default, if that's not appropriate, make a new chain and add a rule to POSTROUTING to jump to that chain.) It's not been tested incredibly extensively, but since the proxy has been processing 4000-5000 concurrent connections at 200-300 connections per second without a hitch for about 12 hours now, it's at least not completely broken. cheers, Lennert