From 5e252bb3f692fc0cfc4029145ea1ad4bb0d90448 Mon Sep 17 00:00:00 2001
From: Yves Rutschle <git1@rutschle.net>
Date: Wed, 12 Jun 2024 09:40:33 +0200
Subject: [PATCH] add links to ip-routing transparent proxying

---
 README.md                       | 30 +++++++++++++++++++++++-------
 doc/simple_transparent_proxy.md |  4 ++--
 doc/tproxy.md                   | 16 ++++++----------
 3 files changed, 31 insertions(+), 19 deletions(-)

diff --git a/README.md b/README.md
index 093c79de..23655452 100644
--- a/README.md
+++ b/README.md
@@ -36,18 +36,34 @@ Configuration
 
 Please refer to the [configuration guide](doc/config.md).
 
+Transparent proxying
+--------------------
+
 Transparent proxying allows the target server to see the
 original client IP address, i.e. `sslh` becomes invisible.
-This makes it easier to use the server's logs, and potential
-IP-based banning ability.
 
-Configuration of transparent proxying is highly dependent on
-your network environment and infrastructure setup. There is
-no known generic approach, and if you do not find directions
-for your exact setup, you will probably need an extensive
-knowledge of network management and iptables setup".
+This means services behind `sslh` (Apache, `sshd` and so on)
+will see the external IP and ports as if the external world
+connected directly to them. This simplifies IP-based access
+control (or makes it possible at all), and makes it possible
+to use IP-based banning tools such as `fail2ban`.
+
+There are two methods. One uses additional virtual network
+interfaces. The principle and basic setup is described
+[here](doc/simple_transparent_proxy.md), with further
+scenarios described [there](doc/scenarios-for-simple-transparent-proxy.md).
+
+
+Another method uses iptable packet marking features, and is
+highly dependent on your network environment and
+infrastructure setup. There is no known generic approach,
+and if you do not find directions for your exact setup, you
+will probably need an extensive knowledge of network
+management and iptables setup".
 
 It is described in its own [document](doc/tproxy.md).
+In most cases, you will be better off following the first
+method.
 
 
 Docker image
diff --git a/doc/simple_transparent_proxy.md b/doc/simple_transparent_proxy.md
index f8a55b62..13625ac9 100644
--- a/doc/simple_transparent_proxy.md
+++ b/doc/simple_transparent_proxy.md
@@ -1,4 +1,4 @@
-# Simple Transparent Proxy Configuration Explained #
+# Transparent Proxy Configuration Using IP Routing#
 This documentation is another explanation of the transparent proxy with the goal, beeing secure and minimalistic. Besides this documentation will explain, how and why this configuration works.
 The explanation will only describe the connection to sshd, so the target sshd can be replace with any other target service, sslh supports.
 
@@ -130,4 +130,4 @@ In this case, you need to add a special route back to the sslh host, for all tra
 ```
 The details are depending on your network settings. Als long, as the forward chain to the hidden service passes systems under your control, you can add backroutes on each system in that route. Precondition: The used ip address produces no conflict on those systems.
 
-[I added a second document](./scenarios-for-simple-transparent-proxy.md), describing three possible scenarios in detail. Those three scenarios should cover all setups related to transparent proxying. 
\ No newline at end of file
+[I added a second document](./scenarios-for-simple-transparent-proxy.md), describing three possible scenarios in detail. Those three scenarios should cover all setups related to transparent proxying. 
diff --git a/doc/tproxy.md b/doc/tproxy.md
index 057d7207..3f28d143 100644
--- a/doc/tproxy.md
+++ b/doc/tproxy.md
@@ -1,15 +1,11 @@
-# Transparent proxy
+# Transparent proxy using packet marking
 
-On Linux and FreeBSD you can use the `--transparent` option to
-request transparent proxying. This means services behind `sslh`
-(Apache, `sshd` and so on) will see the external IP and ports
-as if the external world connected directly to them. This
-simplifies IP-based access control (or makes it possible at
-all).
+Before reading further, make sure you try to set up
+transparent proxying using [IP routing](doc/simple_transparent_proxy.md).
+It is conceptually easier to understand, cleaner, and more
+portable.
 
-This document shows recipes that may help to do that.
-
-Note that getting this to work is very tricky and
+Using this method is very tricky and
 detail-dependant: depending on whether the target server and
 sslh are on the same machine, different machines, or
 different dockers, and tool versions, all seem to change the