1. We have shorewall running at gateway ( with NAT.
2. We have a number of web servers (172.16.1.x/24). These web servers are accessed through port forwarding at the gateway ( and websites are visible through virtual hosting through a web re-director.
3. Presently the proxy server runs in a transparent mode, i.e., all web requests goes to the gateway at port 80, they gets redirected to 3128, content filtering is done there via ufdbguard and acceptable requests are forwarded.
Now we wish to switch to non-transparent mode as follows:
1. Users of our LAN are authenticated on an LDAP server and they are suppose to manually setup proxy settings for their browsers for internet access at port 3128 looking at our gateway (

Now the problem we are facing is that with non-transparanet proxy setting from wthin our Intranet (172.x.y.z/8) we are unable to see our internal websites which are running on 172.16.1.x/24 !!

The rules we are using in transparanet mode are:

For the gateway:
(The external interface is at 210.212.X.Y (eth0)
The internal interface is at (eth1))

In /etc/shorewall/rules:

# Squid for web access
REDIRECT        loc     3128    tcp     80      -       !210.212.X.Y

DNAT            loc             loc:         tcp     www     -       210.212.X.Y

In /etc/shorewall/masq:

eth1:        eth1       tcp     www

The routeback option has been set for eth1 as well.

Can someone suggest the revised rules so that we may run this in non-transparent mode as mentioned above and still be able to view the internal webservers through port forwarding?
Thanks in advance.

What does 'unable to see' mean?
What IP address do your internal users attempt to connect to access
these internal servers?
What does the user see when the connection attempt fails?
What 'Shorewall' messages appear when the user attempts a connection?
What messages are written to the Squid logs when the user attempts a

Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

'unable to see' means that the proxied and authenticated users are able to
browse all the sites except our own webserver(s).
As authoratative nameserver is running on the gateway (, so the users
are trying to connect to external resolved IPs (210.x.y.z) on which it comes
"connection refused message".
And this message is written onto squid log:
1241001622.284    118 TCP_MISS/503 2655 GET http://www.mnit.ac.in/
username DIRECT/210.x.y.z text/html