-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/20/20 4:22 AM, Bruce Bannerman wrote: > Hello colleagues, > > I hope that someone can point me in the right direction here. I > have been trying many options for weeks to sort this out. > > (Thank you for the excellent Shorewall documentation.) > > > In a nutshell, I can see network traffic coming into my DMZ from > external to my site, but I don’t see it coming out. > > > Environment: > > Debian 10.3 Stable Xen 4.11.4-pre Shorewall 5.2.3.2 > > I have four Debian 10.3 Stable VMs running. > > > Everything has been working fine for several years with a single > public IP connected to two externally facing VMs, with traffic > redirected using DNAT. > > I recently obtained a /28 subnet of public IP addresses from my ISP > to allow me to expand my web activities. > > * My ISP is routing the /28 subnet via my external /32 public > static IP address that they have allocated to me for the external > interface of my router / modem. * This static /32 IP is from a > totally different IP range to my subnet. > > > I’m having troubles getting network traffic returned from my DMZ > VMs with these /28 subnet IP addresses. > > I have the same result whether I set my systems up using either: > > * a XEN Routed configuration as described in [1]; or * a XEN > One-to-One NAT configuration as described at [2]. > > > My current configuration is configured as XEN Routed. > > ===== > > I can get external network traffic returned from my servers under > the current configuration if I: > > * configure my nameserver to use my /32 external static IP address > for all servers. * use port forwarding configured within the modem > to point at my VMs using their public /28 subnet addresses. * keep > NAT enabled on the modem. * however, this is very restrictive, and > defeats the purpose of having the public /28 subnet in the first > place. > > > ===== > > I have attached a shorewall dump below. > > For this test, I attempted to access the web site of one of my > domains at http://www.foss4climate.org. This domain and site have > not been launched and are just in a preliminary stage. > > This URL points to my reverse proxy server. I then redirect using > https to a second webserver (www2 also a VM) that uses a private IP > address. > > I tested from a laptop, external to my site’s network. > > * the laptop’s IP address was: > 49.183.163.227 * the IP address of the web server is currently: > 203.214.66.103
The Shorewall-generated firewall is seeing the connection successfully established. From the dump: Conntrack Table (50 out of 262144) ... ipv4 2 tcp 6 272 ESTABLISHED src=49.183.163.227 dst=203.214.66.103 sport=52024 dport=443 src=203.214.66.103 dst=49.183.163.227 sport=443 dport=52024 [ASSURED] mark=0 zone=0 use=2 That shows that the three-way TCP handshake was successfully completed between 49.183.163.227 and 203.214.66.103 (which I presume is your reverse proxy server and not the web server itself). What is the (private) IP address of the web server? - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5O1+YACgkQluaz8kI6 TRD9FBAAq16g9xliejHHgLY9fv4MfpJNQdrBjLWnUUc1z4boCkvDUOAXJvRFeCBS Fx5O3hbRgsQks6ciFueHnHWmvJXqYnTZZOLuOvLjkm2pl3IVPrBh/DE8ImCl/Xfx sHFp/vYDqAW4/prnOWN3IsSfnLYNaI+Y7kOY/jS4lPXzcxX01JFqeqPxi4J8k6M2 EwhAi/K4611pheSQKSdqdB4tKY/tICPAUu2YyOkVRX1JzC/5kXNfYiLc4aJmyPb6 GsZ6hSNTg27xBV2RtbawsxMzovTLK+PqV1BtamvZT6FM0e9Wp+83wfbTOTo9P7wn 8FMwalWL5OdCONBBYjKc/69pdzo682vnIJbUdPea3QbmeoADK7V/wcK0GEb+BDYp nK7dQMTMOb1t2Jwt5AsEBeTk275MUECB7NLA51QIhuB587ywf1J2A6krcNw7qIHR dps0dRoDOBj/m+rRaKcyfl4LTYcnrizrtKBbznuvghbD0LDjQTf+VLR5FMEuOKrU BXpusOt8jznSgxXzuv+t2QmomwQ/I5i4n4u90eyuzBwdvnBpj+UQclMz0pQNnZ0l vV1CbbhkY/M48p2EcHF6YdkLV66mrrGlpj4uDKXU2P20KaWtUyZDZUQmBzv0VKWk xInQMgbD2WHOhZM5/s0a12bnZLUoCkNWbiHtIakHtAcitkAxfqs= =jarS -----END PGP SIGNATURE----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
