add links to ip-routing transparent proxying

README.md

@@ -36,18 +36,34 @@ Configuration
 
 Please refer to the [configuration guide](doc/config.md).
 
+Transparent proxying
+--------------------
+
 Transparent proxying allows the target server to see the
 original client IP address, i.e. `sslh` becomes invisible.
-This makes it easier to use the server's logs, and potential
-IP-based banning ability.
 
-Configuration of transparent proxying is highly dependent on
+This means services behind `sslh` (Apache, `sshd` and so on)
-your network environment and infrastructure setup. There is
+will see the external IP and ports as if the external world
-no known generic approach, and if you do not find directions
+connected directly to them. This simplifies IP-based access
-for your exact setup, you will probably need an extensive
+control (or makes it possible at all), and makes it possible
-knowledge of network management and iptables setup".
+to use IP-based banning tools such as `fail2ban`.
+
+There are two methods. One uses additional virtual network
+interfaces. The principle and basic setup is described
+[here](doc/simple_transparent_proxy.md), with further
+scenarios described [there](doc/scenarios-for-simple-transparent-proxy.md).
+
+
+Another method uses iptable packet marking features, and is
+highly dependent on your network environment and
+infrastructure setup. There is no known generic approach,
+and if you do not find directions for your exact setup, you
+will probably need an extensive knowledge of network
+management and iptables setup".
 
 It is described in its own [document](doc/tproxy.md).
+In most cases, you will be better off following the first
+method.
 
 
 Docker image

doc/simple_transparent_proxy.md

@@ -1,4 +1,4 @@
-# Simple Transparent Proxy Configuration Explained #
+# Transparent Proxy Configuration Using IP Routing#
 This documentation is another explanation of the transparent proxy with the goal, beeing secure and minimalistic. Besides this documentation will explain, how and why this configuration works.
 The explanation will only describe the connection to sshd, so the target sshd can be replace with any other target service, sslh supports.
 
@@ -130,4 +130,4 @@ In this case, you need to add a special route back to the sslh host, for all tra
 ```
 The details are depending on your network settings. Als long, as the forward chain to the hidden service passes systems under your control, you can add backroutes on each system in that route. Precondition: The used ip address produces no conflict on those systems.
 
-[I added a second document](./scenarios-for-simple-transparent-proxy.md), describing three possible scenarios in detail. Those three scenarios should cover all setups related to transparent proxying. 
+[I added a second document](./scenarios-for-simple-transparent-proxy.md), describing three possible scenarios in detail. Those three scenarios should cover all setups related to transparent proxying. 

doc/tproxy.md

@@ -1,15 +1,11 @@
-# Transparent proxy
+# Transparent proxy using packet marking
 
-On Linux and FreeBSD you can use the `--transparent` option to
+Before reading further, make sure you try to set up
-request transparent proxying. This means services behind `sslh`
+transparent proxying using [IP routing](doc/simple_transparent_proxy.md).
-(Apache, `sshd` and so on) will see the external IP and ports
+It is conceptually easier to understand, cleaner, and more
-as if the external world connected directly to them. This
+portable.
-simplifies IP-based access control (or makes it possible at
-all).
 
-This document shows recipes that may help to do that.
+Using this method is very tricky and
-
-Note that getting this to work is very tricky and
 detail-dependant: depending on whether the target server and
 sslh are on the same machine, different machines, or
 different dockers, and tool versions, all seem to change the