El 11 de febrero de 2019 2:46:47 PM GMT-05:00, Tom Eastep <teas...@shorewall.net> escribió: >On 2/11/19 6:16 AM, Rommel Rodriguez Toirac wrote: >> I have a DMZ with several hosts providing some services such as >email, FTP, jabber, web and others. These services can be accessed both >of all from the local network and from outside my network. >> >> Until now in the DMZ I had only one host that provided the web >service (with apache), but now in the host where run email service I >installed an application to serve webmail access (rainloop), it is >configured using a web server (apache); also, in other host I installed >the Nextcloud+ONLYOFFICE combination as a server in the clouds and it >is hosted on an Apache server to. >> These mean that in the DMZ are different hosts listening to ports 80 >and 443. >> Until now I had used a simple DNAT rule to forward all traffic >coming from outside of my network to ports 80 and 443, to the IP of the >host where the web service is running in DMZ: >> >> DNAT:info net dmz:192.168.14.8 tcp 80,443 >> >> But now there are three different hosts running apache listenig on >port 80 and 443, so when I try to access from outside of my local >network or DMZ, to the host where is running Nextcloud, the webpage >that respond is the webpage hosted in the host running the web service, >not the Nextcloud webpage. >> >> How can I prevent that this happen? I mean, when someone outside of >my network try to access the webmail (rainloop) that is running in a >host different (different IP) than the host where run the web services >the page that the user see in the browser correspond with the rainloop >webpage, or maybe when try to access to Nextcloud the web page >correspond whit the service that try to access. >> >> This is the configuration of /etc/zones: >> >> fw firewall >> net ipv4 >> loc ipv4 >> dmz ipv4 >> >> >> /etc/interfaces >> >> net enp4s1 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 >> loc enp5s0 tcpflags,nosmurfs,routefilter,logmartians >> dmz enp7s0 tcpflags,nosmurfs,routefilter,logmartians >> >> >> /etc/policy >> >> loc net ACCEPT info >> net all DROP info >> all all REJECT info >> >> >> The network interfaces use static IP: >> >> enp4s1: 10.10.120.254 >> enp7s0: 192.168.14.1 >> enp5s0: 192.168.41.1 >> >> >> The server IP address are: >> >> gtmem.gtm.onat.gob.cu - 192.168.14.3 >> gtmd.gtm.onat.gob.cu - 192.168.14.8 >> gtmnb.gtm.onat.gob.cu - 192.168.14.11 >> gtmoffice1.gtm.onat.gob.cu - 192.168.14.14 >> > >Given that you only have one external IP address and you apparently >want >to run the web servers on separate hosts, a reverse proxy is probably >the best way to go. Both Apache and Ngnix can be configured as a >reverse >proxy which would run on the Shorewall system. The proxy accepts >incoming connections and forwards them based on the host name being >connected to. > >-Tom
Hello Tom; yes, I want to run different web servers, in different hosts in the DMZ. You propouse me to install in the Firewall a reverse proxy. In the DMZ I have a host configured as proxy using squid, with this I provide the Internet access to my local lan and others hosts outside of my network. This is a problem or not to the solution you provide me? Thanks fo your attention. -- Rommel Rodriguez Toirac romme...@nauta.cu _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
