If I understand what you've posted, there is an attack vector from your webserver on softlayer.com's network block, into your private network. Do I understand that correctly?
If so, I'm astonished you would bother to obfuscate an RFC 1918 address, but not redact the IP address of your hacked or misconfigured webserver.
That would be the address to remove from a public forum.
I don't necessarily understand why you are allowing the webserver to have unrestricted access to your private LAN. You should be able to limit it's access to necessary back end systems, such as DB servers, and limit it to specific ports, as well.
State table management will not help you at all with existing states, as you've discovered. Nor will antispoofing, since there is no address spoofing, there is an attack coming
from your webserver. If I understand your problem, of course.
Best practice is to place Internet-facing servers in a DMZ between two firewalls. Forgive this ASCII diagram:
{internet} [FW1] -- Webservers, etc -- [FW2] -- {private network}
This allows for a fairly open set of rules for FW1, and a very restrictive set of rules for FW2. Access to the private network
from the DMZ can be limited to necessary and valid connections from the DMZ servers -- such as a backend database -- which may eliminate the DMZ as a general attack vector into a private network, in the event of a misconfigured webserver, administrator ignorance, or other problems that enable an attack.