We are trying to configure shorewall as follows:
1. We have shorewall running at gateway ( with NAT.
2. We have a number of web servers (172.16.1.x/24). These web servers are accessed through port forwarding at the gateway ( and websites are visible through virtual hosting through a web re-director.
3. Presently the proxy server runs in a transparent mode, i.e., all web requests goes to the gateway at port 80, they gets redirected to 3128, content filtering is done there via ufdbguard and acceptable requests are forwarded.
Now we wish to switch to non-transparent mode as follows:
1. Users of our LAN are authenticated on an LDAP server and they are suppose to manually setup proxy settings for their browsers for internet access at port 3128 looking at our gateway (

Now the problem we are facing is that with non-transparanet proxy setting from wthin our Intranet (172.x.y.z/8) we are unable to see our internal websites which are running on 172.16.1.x/24 !!

The rules we are using in transparanet mode are:

For the gateway:
(The external interface is at 210.212.X.Y (eth0)
The internal interface is at (eth1))

In /etc/shorewall/rules:

# Squid for web access
REDIRECT        loc     3128    tcp     80      -       !210.212.X.Y

DNAT            loc             loc:         tcp     www     -       210.212.X.Y

In /etc/shorewall/masq:

eth1:        eth1       tcp     www

The routeback option has been set for eth1 as well.

Can someone suggest the revised rules so that we may run this in non-transparent mode as mentioned above and still be able to view the internal webservers through port forwarding?
Thanks in advance.