diff -urN linux-2.4.21.orig/net/ipv4/netfilter/iptable_tproxy.c linux-2.4.21/net/ipv4/netfilter/iptable_tproxy.c
--- linux-2.4.21.orig/net/ipv4/netfilter/iptable_tproxy.c	Mon Jul  7 14:50:11 2003
+++ linux-2.4.21/net/ipv4/netfilter/iptable_tproxy.c	Mon Jul  7 14:54:18 2003
@@ -9,6 +9,7 @@
 
 #include <linux/version.h>
 #include <linux/module.h>
+#include <linux/config.h>
 
 #include <linux/sysctl.h>
 #include <linux/vmalloc.h>
@@ -45,6 +46,47 @@
 #define DEBUGP(f, args...)
 #endif
 
+#ifdef CONFIG_SYSCTL
+static gid_t tproxy_gid;
+
+static struct ctl_table_header *sysctl_hdr;
+
+static struct ctl_table tproxy_gid_table[] = {
+	{ 666 /* I am going to hell */ , "tproxy_gid", &tproxy_gid,
+		sizeof(tproxy_gid), 0644, NULL, proc_dointvec },
+	{ 0 }
+};
+
+static struct ctl_table dir_table[] = {
+	{NET_IPV4, "ipv4", NULL,
+		0, 0555, tproxy_gid_table, 0, 0, 0, 0, 0},
+	{ 0 }
+};
+
+static struct ctl_table root_table[] = {
+	{CTL_NET, "net", NULL,
+		0, 0555, dir_table, 0, 0, 0, 0, 0},
+	{ 0 }
+};
+
+static inline int check_permissions(void)
+{
+	if ( capable(CAP_NET_ADMIN) )
+		return 1;
+
+	if ( in_egroup_p(tproxy_gid) )
+		return 1;
+
+	return 0;
+}
+
+#else
+static inline int check_permissions(void)
+{
+	return capable(CAP_NET_ADMIN);
+}
+#endif
+
 /* Standard entry. */
 struct ipt_standard
 {
@@ -727,7 +769,7 @@
 			struct in_tproxy itp;
 			int foreign_matches;
 
-			if (!capable(CAP_NET_ADMIN))
+			if (!check_permissions())
                                 return -EPERM;
                         
                         if (sk->socket->state != SS_UNCONNECTED) { 
@@ -1051,7 +1093,6 @@
 		goto clean_all;
 	}
 	
-
 	/* use our own fake conntrack entry, which indicates that packet was
 	   tproxied, this let's us use the same -m tproxy match in our filter rules.
 	   The original idea of using a fake conntrack entry to avoid conntracking
@@ -1083,7 +1124,7 @@
 		INIT_LIST_HEAD(&ip_tproxy_bylocal[i]);
 		INIT_LIST_HEAD(&ip_tproxy_byforeign[i]);
 	}
-		                        
+
 	ret = nf_register_hook(&ip_tproxy_local_out_ops);
 	if (ret < 0) {
 		printk("ip_tproxy: can't register local out hook.\n");
@@ -1108,12 +1149,21 @@
 		goto clean_preops;
 	}
 	
+#ifdef CONFIG_SYSCTL
+	if ( !(sysctl_hdr = register_sysctl_table(root_table, 0)) )
+		goto clean_table;
+#endif
+
 	nf_register_sockopt(&ip_tproxy_sockopts);
 	printk("Transparent proxy support initialized %p.\n", &ip_tproxy_fake_ct);
 	return ret;
  clean_all:
 
+
+	unregister_sysctl_table(root_table);
 	nf_unregister_sockopt(&ip_tproxy_sockopts);
+
+clean_table:
  	ipt_unregister_table(&tproxy_table);
 
  clean_preops:
@@ -1131,7 +1181,7 @@
  	
  clean_sockref_table:
  	kmem_cache_destroy(ip_tproxy_sockref_table);
- 	
+
  clean_nothing:
 	return ret;
 }