Transparent Reverse Proxy

This is for the version of Pen in Git, and 0.29.0 when it is released.

With the exception of Direct Server Return, Pen works as a proxy: a client connects to Pen and Pen opens a new connection to an available server. A side effect of this is that the server can’t see the original client IP address.

For http, and for https where Pen also does SSL termination, the X-Forwarded-For header can be used to communicate the address. It is activated by the -H option and adds the header to the request if it isn’t already there. But this is a web-specific solution and doesn’t work for e.g. mail, where you also want to preserve the client address.

Now there is another solution to the problem. The transparent option makes Pen “spoof” the client’s IP address in its outgoing connection to the backend server.

Here, debian2 is the client with IP 192.168.100.2 and debian3 is the server with IP 192.168.101.3. Pen sits in between with IP addresses 192.168.100.10 and 192.168.101.10. Debian2 and debian3 have static routes set up so they can reach each other through the host running Pen.

There is a bunch of network configuration that needs to be done on the Pen host in order to get the return traffic go where it should. First some firewall rules:


root@debian:~# iptables -t mangle -N DIVERT
root@debian:~# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
root@debian:~# iptables -t mangle -A DIVERT -j MARK --set-mark 1
root@debian:~# iptables -t mangle -A DIVERT -j ACCEPT

And then a few special routes:


root@debian:~# ip rule add fwmark 1 lookup 100
root@debian:~# ip route add local 0.0.0.0/0 dev lo table 100

The Pen command like looks like this:

sudo ./pen -df -O transparent 192.168.100.10:5001 192.168.100.3

transparent-client

transparent-server

The server sees the original client IP address 192.168.100.2.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

4 thoughts on “Transparent Reverse Proxy

Leave a Reply

Your email address will not be published. Required fields are marked *