Transparent Reverse Proxy - UlricE/pen GitHub Wiki

With the exception of Direct Server Return, Pen works as a proxy: a client connects to Pen and Pen opens a new connection to an available server. A side effect of this is that the server can’t see the original client IP address.

For http, and for https where Pen also does SSL termination, the X-Forwarded-For header can be used to communicate the address. It is activated by the -H option and adds the header to the request if it isn’t already there. But this is a web-specific solution and doesn’t work for e.g. mail, where you also want to preserve the client address.

Another solution is the transparent option, which makes Pen “spoof” the client’s IP address in its outgoing connection to the backend server. This is supported on Linux, FreeBSD and OpenBSD with various special configuration to be performed on the load balancer host.

Linux

There is a bunch of network configuration that needs to be done on the Pen host in order to get the return traffic go where it should. First some firewall rules:

root@debian:~# iptables -t mangle -N DIVERT
root@debian:~# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
root@debian:~# iptables -t mangle -A DIVERT -j MARK --set-mark 1
root@debian:~# iptables -t mangle -A DIVERT -j ACCEPT

And then a few special routes:

root@debian:~# ip rule add fwmark 1 lookup 100
root@debian:~# ip route add local 0.0.0.0/0 dev lo table 100

FreeBSD

FreeBSD requires far less in the way of special preparations than Linux did; in fact, a single firewall rule is all we need:

ipfw add 10 fwd 127.0.0.1 tcp from any 5001 to any in recv em2

OpenBSD

OpenBSD takes first prize in the easy management department by not requiring any special firewall rules or policy routing whatsoever.

Starting Pen

The Pen command is the same whether on Linux or *BSD:

sudo ./pen -df -O transparent 192.168.100.11:5001 192.168.101.3

In this example, debian2 is the client with IP 192.168.100.2 and debian3 is the server with IP 192.168.101.3. Pen sits in between with IP addresses 192.168.100.11 and 192.168.101.10. Debian2 and debian3 have static routes set up so they can reach each other through the host running Pen.

The client sees a connection from 192.168.100.2 to 192.168.100.11, while the server sees a connection from 192.168.100.2 to 192.168.101.3.

Client sees a connection from 192.168.100.2 to 192.168.100.11

Server sees a connection from 192.168.100.2 to 192.168.101.3