Transparent Bonding Proxy: Difference between revisions
(brain dump) |
No edit summary |
||
Line 16: | Line 16: | ||
0.0.0.0/0 allows any IP to be used. While this also works, it has security implications - add your routed subnets instead to minimize risks. | 0.0.0.0/0 allows any IP to be used. While this also works, it has security implications - add your routed subnets instead to minimize risks. | ||
Currently, TBP will be activated for any proxy connection initiated by a client with a routed IP. If | Currently, TBP will be activated for any proxy connection initiated by a client with a routed IP. ( | ||
If "Outgoing IP" is configured in the tunnel's environment settings, this IP will be used for masquerading instead. | |||
=== Known issues === | === Known issues === | ||
* When a daemon is listening on 0.0.0.0 (any IP), this will take precedence over incoming connections targetting a target in your subnet. | * When a daemon on the server is listening on 0.0.0.0 (any IP), this will take precedence over incoming connections targetting a target in your subnet. saneserver's current default configuration is doing exactly that. |
Revision as of 00:17, 27 April 2023
Transparent Bonding Proxy (TBP) as a work in progress extension that allows Bonding Proxy to establlish connections using the client's original IP. Without TBP, connections utilizing Bonding Proxy will always use the server's default IP address, even if subnets are properly routed to a client.
Transparent Bonding Proxy is currently under development and has been added in snapshot versions starting 20230426.
Prerequisites
TBP only works with server routes and masquerading disabled on the client.
saneserver uses IP_TRANSPARENT to bind to non-local ip addresses, which required CAP_ADMIN capabilities. For proper operation, we must identify traffic that matches our Bonding Proxy connections:
# iptables -t mangle -N DIVERT # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT # iptables -t mangle -A DIVERT -j MARK --set-mark 1 # iptables -t mangle -A DIVERT -j ACCEPT
Then, create a routing table that defines your routed subnet(s) as local
# ip rule add fwmark 1 lookup 100 # ip route add local 0.0.0.0/0 dev lo table 100
0.0.0.0/0 allows any IP to be used. While this also works, it has security implications - add your routed subnets instead to minimize risks.
Currently, TBP will be activated for any proxy connection initiated by a client with a routed IP. (
If "Outgoing IP" is configured in the tunnel's environment settings, this IP will be used for masquerading instead.
Known issues
- When a daemon on the server is listening on 0.0.0.0 (any IP), this will take precedence over incoming connections targetting a target in your subnet. saneserver's current default configuration is doing exactly that.