Transparent proxy patch for Pound reverse proxy.

TPROXY is Linux specific.
TPROXY is available in mainline kernel from 2.6.30, thanks to Balabit Ltd. for this excellent code.
You can find patches for earlier kernels at: http://www.balabit.com/downloads/files/tproxy/

##About this patch

Using Pound as transparent proxy have some impact on CPU usage.

Adds a new TProxy global option and a TProxy option for backend.

If global TProxy option is switched on Pound preserves NET_ADMIN capability which needs for TPROXY.
If global TProxy option is switched off Pound works as unpatched version.

You can switch on transparent proxy feature on a backend by adding TProxy 1 to that in config.

You should set the following:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -s 10.0.1.141 -p tcp -sport 80 -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 111 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

(10.0.0.141:80 is a backend address outside Pound host. If you use different backend server than Pound host than backend hosts need to use Pound host as gateway.)

and

iptables -t mangle -A OUTPUT -s 10.0.0.142 -p tcp –sport 81 -j DIVERT

(10.0.0.142:81 is a backend address inside Pound host)

You can find further useful information at:
http://blog.loadbalancer.org/transparent-proxy-of-ssl-traffic-using-pound-to-haproxy-backend-patch-and-howto/

LogLevel 5
LogFacility -
Client  30
TimeOut 60
TProxy 1

ListenHTTP
    Address 0.0.0.0
    Port    80
        Service
            BackEnd
	            Address 192.168.0.1
	            Port    81
	            TProxy 1
            End
    End
End

Patch by: ivan < github-ivan ( ) enfinity.hu >