On 2/11/19 6:16 AM, Rommel Rodriguez Toirac wrote: > I have a DMZ with several hosts providing some services such as email, FTP, > jabber, web and others. These services can be accessed both of all from the > local network and from outside my network. > > Until now in the DMZ I had only one host that provided the web service (with > apache), but now in the host where run email service I installed an > application to serve webmail access (rainloop), it is configured using a web > server (apache); also, in other host I installed the Nextcloud+ONLYOFFICE > combination as a server in the clouds and it is hosted on an Apache server to. > These mean that in the DMZ are different hosts listening to ports 80 and 443. > Until now I had used a simple DNAT rule to forward all traffic coming from > outside of my network to ports 80 and 443, to the IP of the host where the > web service is running in DMZ: > > DNAT:info net dmz:192.168.14.8 tcp 80,443 > > But now there are three different hosts running apache listenig on port 80 > and 443, so when I try to access from outside of my local network or DMZ, to > the host where is running Nextcloud, the webpage that respond is the webpage > hosted in the host running the web service, not the Nextcloud webpage. > > How can I prevent that this happen? I mean, when someone outside of my > network try to access the webmail (rainloop) that is running in a host > different (different IP) than the host where run the web services the page > that the user see in the browser correspond with the rainloop webpage, or > maybe when try to access to Nextcloud the web page correspond whit the > service that try to access. > > This is the configuration of /etc/zones: > > fw firewall > net ipv4 > loc ipv4 > dmz ipv4 > > > /etc/interfaces > > net enp4s1 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 > loc enp5s0 tcpflags,nosmurfs,routefilter,logmartians > dmz enp7s0 tcpflags,nosmurfs,routefilter,logmartians > > > /etc/policy > > loc net ACCEPT info > net all DROP info > all all REJECT info > > > The network interfaces use static IP: > > enp4s1: 10.10.120.254 > enp7s0: 192.168.14.1 > enp5s0: 192.168.41.1 > > > The server IP address are: > > gtmem.gtm.onat.gob.cu - 192.168.14.3 > gtmd.gtm.onat.gob.cu - 192.168.14.8 > gtmnb.gtm.onat.gob.cu - 192.168.14.11 > gtmoffice1.gtm.onat.gob.cu - 192.168.14.14 >
Given that you only have one external IP address and you apparently want to run the web servers on separate hosts, a reverse proxy is probably the best way to go. Both Apache and Ngnix can be configured as a reverse proxy which would run on the Shorewall system. The proxy accepts incoming connections and forwards them based on the host name being connected to. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
