Bridge + iptables:
habrahabr.ru/qa/29447/#answer_117693

If the traffic to the website is X-Forwarded-For:

I think, if I understand correctly, and the machines will be physically nearby, or they are virtual machines, then:
1. Tunneling is clearly unnecessary here, I think you can get by with a virtual bridge on the proxying machine. (It will physically stand in the context of the backend and the provider.)
2. In the proposed version, you do not have to reconfigure anything on the backend, since the IP addresses will remain on it.
3. filtering will be completely possible with iptables. (although I could be wrong, ibtables is more likely to be needed, correct it)
4. The solution is universal and will support any type of IP traffic

Why didn't anyone suggest HAProxy?
It works for me like this
Client -> iptables -> haproxy -> backend
Depending on your needs, you can configure haproxy to work from l3 to l7

Filter server with one interface . Redirects traffic to a processing server without SNAT.
The client must contact the filtering server and receive a response through it.
Those. for client, processing server IP = filter IP. With the corresponding records in DNS (if we are talking about a web server).
Redirecting traffic from the client to processing is just DNAT. But in order for the response to go through the filter, the processing server must have a main route to the filter. This means that the filter and the server itself must be on the same subnet.
It's probably best to do a VPN from the front end to the filter (or vice versa, whichever is easier) and set up routes on both sides.
Well, for protection, block unnecessary (almost everything) on ​​the normal interface of the processing server.
If only web traffic is expected, then nginx + X-Forwarded-For. At the same time, any filtering in nginx can be done. Or you can try to get by with Squid. You will also receive caching as a gift.

PS.

No, the machines are deleted by DC, not virtual machines. Frontend exactly dedicated server (win 2008), tunnel - linux vps