Transparent proxy patch for Pound reverse proxy.

Patch for 2.4.5 (tested)
Patch for 2.5c (not tested)

make TRPOXY=1

TPROXY is Linux specific.
TPROXY is available in mainline kernel from 2.6.30, thanks to Balabit Ltd. for this excellent code.
You can find patches for earlier kernels at:
Using Pound as transparent proxy have some impact on CPU usage.

Adds a new TProxy global option and a TProxy option for backend.

If global TProxy option is switched on Pound preserves NET_ADMIN capability which needs for TPROXY.
If global TProxy option is switched off Pound works as unpatched version.

You can switch on transparent proxy feature on a backend by adding TProxy 1 to that in config.

You should set the following:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -s -p tcp -sport 80 -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 111
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 111 lookup 100
ip route add local dev lo table 100

( is a backend address outside Pound host. If you use different backend server than Pound host than backend hosts need to use Pound host as gateway.)


iptables -t mangle -A OUTPUT -s -p tcp –sport 81 -j DIVERT

( is a backend address inside Pound host)

You can find some useful information at:

Sample config:

LogLevel        5
LogFacility -
Client  30
TimeOut 60
TProxy 1

        Port    80
                        Port    81
                        TProxy 1

Patch by:
ivan < dev ( ) >