This is covered at the squid site in the FAQ, for ipfwadm, ipchains, iptables, cisco....... http://www.squid-cache.org/Doc/FAQ/FAQ.html section 17 It's also referred to as an interceptong cache (although that's a bit of a misnomor since squid has to be sent the data, it can't "intercept" on it's own). I also advise a slightly more defined set of redirect rules, instead of: $IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 3128 -t nat -A PREROUTING -s 10.3.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 This way you can also run a webserver on the machine with much less hassle. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/