Transparent Bonding Proxy: Difference between revisions

From Bondix Wiki
No edit summary
No edit summary
Line 1: Line 1:
[[Category:General]]
== Transparent Bonding Proxy ==
Transparent Bonding Proxy (TBP) as a '''work in progress''' extension that allows Bonding Proxy to establlish connections using the client's original IP. Without TBP, connections utilizing Bonding Proxy will always use the server's default IP address, even if subnets are properly routed to a client.
Transparent Bonding Proxy (TBP) as a '''work in progress''' extension that allows Bonding Proxy to establlish connections using the client's original IP. Without TBP, connections utilizing Bonding Proxy will always use the server's default IP address, even if subnets are properly routed to a client.



Revision as of 13:02, 1 June 2023

Transparent Bonding Proxy

Transparent Bonding Proxy (TBP) as a work in progress extension that allows Bonding Proxy to establlish connections using the client's original IP. Without TBP, connections utilizing Bonding Proxy will always use the server's default IP address, even if subnets are properly routed to a client.

Transparent Bonding Proxy is currently under development and has been added in snapshot versions starting 20230426.

Prerequisites

TBP only works with server routes and masquerading disabled on the client.

saneserver uses IP_TRANSPARENT to bind to non-local ip addresses, which required CAP_ADMIN capabilities. For proper operation, we must identify traffic that matches our Bonding Proxy connections:

# iptables -t mangle -N DIVERT
# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
# iptables -t mangle -A DIVERT -j MARK --set-mark 1
# iptables -t mangle -A DIVERT -j ACCEPT

Then, create a routing table that defines your routed subnet(s) as local

# ip rule add fwmark 1 lookup 100
# ip route add local 0.0.0.0/0 dev lo table 100

0.0.0.0/0 allows any IP to be used. While this also works, it has security implications - add your routed subnets instead to minimize risks.

Currently, TBP will be activated for any proxy connection initiated by a client with a routed IP. (

If "Outgoing IP" is configured in the tunnel's environment settings, this IP will be used for masquerading instead.

Known issues

  • When a daemon on the server is listening on 0.0.0.0 (any IP), this will take precedence over incoming connections targetting a target in your subnet. saneserver's current default configuration is doing exactly that.