Many thanks for your reply and taking the time to look Tom. You are correct, the Reverse Proxy’s IP address is 203.214.66.103.
The web server is 172.16.4.203. I have no problems connecting to the Web Server from the Reverse Proxy using Ping, ssh etc and vice versa. I have a similar situation between my smtp and imaps servers. Both use public IPs. .100 and .104 respectively. .100 is a secondary IP for .103, established using IP ADDRESS ADD at boot via /etc/network/interfaces (Debian). Similarly, .105 and .106 are secondary IPs for .104. I hope this helps. Kind regards, Bruce > On 21 Feb 2020, at 6:20 am, Tom Eastep <teas...@shorewall.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > >> On 2/20/20 4:22 AM, Bruce Bannerman wrote: >> Hello colleagues, >> >> I hope that someone can point me in the right direction here. I >> have been trying many options for weeks to sort this out. >> >> (Thank you for the excellent Shorewall documentation.) >> >> >> In a nutshell, I can see network traffic coming into my DMZ from >> external to my site, but I don’t see it coming out. >> >> >> Environment: >> >> Debian 10.3 Stable Xen 4.11.4-pre Shorewall 5.2.3.2 >> >> I have four Debian 10.3 Stable VMs running. >> >> >> Everything has been working fine for several years with a single >> public IP connected to two externally facing VMs, with traffic >> redirected using DNAT. >> >> I recently obtained a /28 subnet of public IP addresses from my ISP >> to allow me to expand my web activities. >> >> * My ISP is routing the /28 subnet via my external /32 public >> static IP address that they have allocated to me for the external >> interface of my router / modem. * This static /32 IP is from a >> totally different IP range to my subnet. >> >> >> I’m having troubles getting network traffic returned from my DMZ >> VMs with these /28 subnet IP addresses. >> >> I have the same result whether I set my systems up using either: >> >> * a XEN Routed configuration as described in [1]; or * a XEN >> One-to-One NAT configuration as described at [2]. >> >> >> My current configuration is configured as XEN Routed. >> >> ===== >> >> I can get external network traffic returned from my servers under >> the current configuration if I: >> >> * configure my nameserver to use my /32 external static IP address >> for all servers. * use port forwarding configured within the modem >> to point at my VMs using their public /28 subnet addresses. * keep >> NAT enabled on the modem. * however, this is very restrictive, and >> defeats the purpose of having the public /28 subnet in the first >> place. >> >> >> ===== >> >> I have attached a shorewall dump below. >> >> For this test, I attempted to access the web site of one of my >> domains at http://www.foss4climate.org. This domain and site have >> not been launched and are just in a preliminary stage. >> >> This URL points to my reverse proxy server. I then redirect using >> https to a second webserver (www2 also a VM) that uses a private IP >> address. >> >> I tested from a laptop, external to my site’s network. >> >> * the laptop’s IP address was: >> 49.183.163.227 * the IP address of the web server is currently: >> 203.214.66.103 > > The Shorewall-generated firewall is seeing the connection successfully > established. From the dump: > > Conntrack Table (50 out of 262144) > ... > ipv4 2 tcp 6 272 ESTABLISHED src=49.183.163.227 > dst=203.214.66.103 sport=52024 dport=443 src=203.214.66.103 > dst=49.183.163.227 sport=443 dport=52024 [ASSURED] mark=0 zone=0 use=2 > > That shows that the three-way TCP handshake was successfully completed > between 49.183.163.227 and 203.214.66.103 (which I presume is your > reverse proxy server and not the web server itself). What is the > (private) IP address of the web server? > > - -Tom > - -- > Tom Eastep \ Q: What do you get when you cross a mobster > Shoreline, \ with an international standard? > Washington, USA \ A: Someone who makes you an offer you > http://shorewall.org \ can't understand > \________________________________________ > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5O1+YACgkQluaz8kI6 > TRD9FBAAq16g9xliejHHgLY9fv4MfpJNQdrBjLWnUUc1z4boCkvDUOAXJvRFeCBS > Fx5O3hbRgsQks6ciFueHnHWmvJXqYnTZZOLuOvLjkm2pl3IVPrBh/DE8ImCl/Xfx > sHFp/vYDqAW4/prnOWN3IsSfnLYNaI+Y7kOY/jS4lPXzcxX01JFqeqPxi4J8k6M2 > EwhAi/K4611pheSQKSdqdB4tKY/tICPAUu2YyOkVRX1JzC/5kXNfYiLc4aJmyPb6 > GsZ6hSNTg27xBV2RtbawsxMzovTLK+PqV1BtamvZT6FM0e9Wp+83wfbTOTo9P7wn > 8FMwalWL5OdCONBBYjKc/69pdzo682vnIJbUdPea3QbmeoADK7V/wcK0GEb+BDYp > nK7dQMTMOb1t2Jwt5AsEBeTk275MUECB7NLA51QIhuB587ywf1J2A6krcNw7qIHR > dps0dRoDOBj/m+rRaKcyfl4LTYcnrizrtKBbznuvghbD0LDjQTf+VLR5FMEuOKrU > BXpusOt8jznSgxXzuv+t2QmomwQ/I5i4n4u90eyuzBwdvnBpj+UQclMz0pQNnZ0l > vV1CbbhkY/M48p2EcHF6YdkLV66mrrGlpj4uDKXU2P20KaWtUyZDZUQmBzv0VKWk > xInQMgbD2WHOhZM5/s0a12bnZLUoCkNWbiHtIakHtAcitkAxfqs= > =jarS > -----END PGP SIGNATURE----- > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
