El 14 de febrero de 2019 1:10:43 PM GMT-05:00, Tom Eastep <teas...@shorewall.net> escribió: >On 2/12/19 6:46 AM, Rommel Rodriguez Toirac wrote: >> El 11 de febrero de 2019 2:46:47 PM GMT-05:00, Tom Eastep ><teas...@shorewall.net> escribió: >>> On 2/11/19 6:16 AM, Rommel Rodriguez Toirac wrote: >>>> I have a DMZ with several hosts providing some services such as >>> email, FTP, jabber, web and others. These services can be accessed >both >>> of all from the local network and from outside my network. >>>> >>>> Until now in the DMZ I had only one host that provided the web >>> service (with apache), but now in the host where run email service I >>> installed an application to serve webmail access (rainloop), it is >>> configured using a web server (apache); also, in other host I >installed >>> the Nextcloud+ONLYOFFICE combination as a server in the clouds and >it >>> is hosted on an Apache server to. >>>> These mean that in the DMZ are different hosts listening to ports >80 >>> and 443. >>>> Until now I had used a simple DNAT rule to forward all traffic >>> coming from outside of my network to ports 80 and 443, to the IP of >the >>> host where the web service is running in DMZ: >>>> >>>> DNAT:info net dmz:192.168.14.8 tcp 80,443 >>>> >>>> But now there are three different hosts running apache listenig on >>> port 80 and 443, so when I try to access from outside of my local >>> network or DMZ, to the host where is running Nextcloud, the webpage >>> that respond is the webpage hosted in the host running the web >service, >>> not the Nextcloud webpage. >>>> >>>> How can I prevent that this happen? I mean, when someone outside >of >>> my network try to access the webmail (rainloop) that is running in a >>> host different (different IP) than the host where run the web >services >>> the page that the user see in the browser correspond with the >rainloop >>> webpage, or maybe when try to access to Nextcloud the web page >>> correspond whit the service that try to access. >>>> >>>> This is the configuration of /etc/zones: >>>> >>>> fw firewall >>>> net ipv4 >>>> loc ipv4 >>>> dmz ipv4 >>>> >>>> >>>> /etc/interfaces >>>> >>>> net enp4s1 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 >>>> loc enp5s0 tcpflags,nosmurfs,routefilter,logmartians >>>> dmz enp7s0 tcpflags,nosmurfs,routefilter,logmartians >>>> >>>> >>>> /etc/policy >>>> >>>> loc net ACCEPT info >>>> net all DROP info >>>> all all REJECT info >>>> >>>> >>>> The network interfaces use static IP: >>>> >>>> enp4s1: 10.10.120.254 >>>> enp7s0: 192.168.14.1 >>>> enp5s0: 192.168.41.1 >>>> >>>> >>>> The server IP address are: >>>> >>>> gtmem.gtm.onat.gob.cu - 192.168.14.3 >>>> gtmd.gtm.onat.gob.cu - 192.168.14.8 >>>> gtmnb.gtm.onat.gob.cu - 192.168.14.11 >>>> gtmoffice1.gtm.onat.gob.cu - 192.168.14.14 >>>> >>> >>> Given that you only have one external IP address and you apparently >>> want >>> to run the web servers on separate hosts, a reverse proxy is >probably >>> the best way to go. Both Apache and Ngnix can be configured as a >>> reverse >>> proxy which would run on the Shorewall system. The proxy accepts >>> incoming connections and forwards them based on the host name being >>> connected to. >>> >>> -Tom >> >> >> Hello Tom; >> >> yes, I want to run different web servers, in different hosts in the >DMZ. >> >> You propouse me to install in the Firewall a reverse proxy. In the >DMZ I have a host configured as proxy using squid, with this I provide >the Internet access to my local lan and others hosts outside of my >network. >> This is a problem or not to the solution you provide me? >> >> Thanks fo your attention. >> >> > >Reverse proxies are something different. You can accomplish a similar >thing with multiple DNAT rules per server. For gtmem.gtm.onat.gob.cu: > >DNAT net dmz:192.168.14.3:80 tcp 10080 >DNAT net dmz:192.168.14.3:443 tcp 10443 >... > >The problem with both approaches (DNAT and reverse proxy) is that >external users will have to specify a non-standard port. To access >gtmem.gtm.onat.gob.cu, the user would have to connect to: > > http://gtmem.gtm.onat.gob.cu:10080 > >or > > https://gtmem.gtm.onat.gob.cu:10443 > >-Tom
I undestand. Thank Tom for answer me. Ask to external user to change the standart port is not an option for me, sorry. And if change the port in service? I mean something like this in the DNAT approach: DNAT net dmz:192.168.14.3:10080 tcp 80 DNAT net dmz:192.168.14.3:10443 tcp 443 It work? -- Rommel Rodriguez Toirac romme...@nauta.cu _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
