[On Ubuntu] I used an iptables ruleset based on the sample ruleset from https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy, Section Linux, Local Redirection Through Tor, to set up Tor as a transparent Proxy. I thought I had understood that ruleset, but theres one point I simply dont get: That TCP segments are only redirected to the port Tor listens on when the SYN flag is set. For example I want to visit www.example.com. My browser does a DNS request, gets the corresponding IP address and sends a TCP segment to that address, the SYN flag is set. According to the ruleset, the segment is redirected to the Tor port, so Tor functions as a proxy, routes the IP packet to www.example.com and delivers the answer from the website server back to my browser. My browser gets a packet back where the source IP is that from the server and the ACK flag is set in the TCP payload, right? So my browser sends the next TCP segment where the SYN flag is not set anymore to www.example.com's IP address. But, there is no corresponding rule in the NAT table because the SYN flag isn't set. So it shouldnt get redirected or get accepted in the output table afterwards. Nonetheless it seems to work fine (at least there are no packets from or to the actual IP addresses of the websites in the log file). Someone on stackexchange suggested its because Tor resolves the DNS query for normal internet domains not to the real but to a mapped IP addresses within the specified address range so the packets with no SYN flag that dont get redirected get are considered an established connection According to this, visiting a website with my browser typing in the the actual IP address so no DNS request is done shouldnt work, should it? : The initial SYN packet would be routed through the Tor network, but the following packets without SYN flag wouldnt and iptables should drop them (except iptables would deem the following packages as part of an established connection, but I guess in this case the connection to the website domain would not be torified at all cause no NAT was done for those packets). Nonetheless, its working. Also, doing a DNS request with nslookup www.example.com brings up the real IP address, not a mapped on from the specified address range. Unfortunately Wireshark isnt working for me atm so I cant find out whats exactly going on. Im really confused. There must be some big point Im missing. Any ideas? Thanks in advance!