I enabled "local natting of connections" in the kernel so that I can do transparent proxy from the local host itself running squid, and I only use these two rules in the new table called "OUTPUT" for nat.
# transparent proxy for localhost iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 Now the problem that I have is that when the box itself tries to ftp to the outside world, it just hangs as soon as it does the PORT command. Then in syslog I see a couple of these messages: ip_conntrack: max number of expected connections 1 of ftp reached for <hideen ip>-><hidden ip>, reusing Is there any way I could configure iptables to not use ftp conntrack for the local nat or is this a bug? I'm using kernel 2.4.19-pre7 with the newnat patch applied and h323, but no other patches. Iptables userspace 1.2.6a. My POSTROUTING of nat contains a typical SNAT setting to let my internal machines access the internet. That machine running squid/iptables has direct access to the internet and is also my a machine that I use for working on it too. I provide access to my laptop from it on a 2nd interface. I have not tested with other plugins, so I'm wondering if it might do the same thing for IRC conntrack. Thanks