May 20th, 2004, 09:45 PM
One External to Multiple Internal IPs
Wow its been a while since I have posted. But anyway I have a little question for any of you out there who might be able to answer it.
Let me give a sinario,
Lets say I have 1 external IP but run 50 servers within my network all on internal IPs, is there any way to bind each server to a subdomain so that it can be accessed via that subdomain.
Lets say 3 of these machines run SSH, and I dont want to change the port numbers that the service runs on but just make box1.domain.org go to box1's SSH, box2.domain.org go to box2's SSH etc.
If this is at all possible I would like some feedback. If not then screw it.
May 20th, 2004, 09:54 PM
you can remap ports on a nat firewall, such as Netfilter
lets say all servers will get same ip address (at internet)
but you assign diferent ports (at internet)
at nat firewall you say (suposing that ur ip address on internet is 184.108.40.206)
220.127.116.11:5000 ---> box1:ssh
18.104.22.168:5001 --> box2:ssh
22.214.171.124:5002 --> box3:ssh
you should specify port at internet side, but when packet traverse firewall it will go to the correct port
is that what you want?
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt.
If I die before I wake, I pray the Lord my soul to brake.
May 20th, 2004, 09:57 PM
May 20th, 2004, 10:15 PM
cacosapo: I dont think i fully understand you. Would the external address still be box1.domain.org:22 ??
The whole point is that anyone on the outside cant really even notice any difference, if they want to go to the ftp of box1 they just go to any ftp client and put box1.domain.org, and they can do the same for box 2 without the enduser having to change any ports.
I dont see that possible w. a NAT firewall, or maybe im just mistaken.
I dont even know if this is possible at all... a friend of mine a while back said it was but we never got into it.
May 20th, 2004, 10:18 PM
Tell them to just change ports, run the ssh daemon on 50 different ports.
that's not 2 much to ask
May 20th, 2004, 10:22 PM
I know i can tell them to change ports, but its not what I want, it doesnt solve my problem, just creates more problems... go try telling endusers to use even port 8080 as the webserver port, they will go nuts.
The only solution i see to my problem is buying like a C block of IP addresses, but that would be way too expensive, which would defete what I am trying to do.
May 20th, 2004, 10:37 PM
Make the links to your web/ftp/etc sites yourself. Direct the users to an initial web page that is fixed then offer the list of services. The links would provide the :8080 etc. When they click on them ti does it automagically....
Otherwise, by using simple NAT it can't be done as far as i can tell....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
May 20th, 2004, 10:45 PM
it would raelly take a long time to try to explain what exactly i would be trying to do with all of this, but that wouldnt cut it.
But if anyone knows of a way that you can basically bind a registered domain name to an internal IP in some sort of way then let me know.
May 20th, 2004, 10:47 PM
If you've got 50 servers you should be able to get a class C pretty cheap if you're in a datacenter, which with 50 servers, you should be
May 20th, 2004, 10:51 PM
Would it work if you used different subnets? you may have to manually set Ips but then technically they should be different address' and allow connections to them without ports interfering. I guess to take this one step further, are you attemping to access this from the outside world or just playing internally in the network?
If you are wanting access from the outside world you could tell users on the outside they are different ports and then just route the port interally to the correct ip
edit: I just saw you were trying to bind multiple domains to internal Ips, not sure if this would work right but check it out http://www.4guysfromrolla.com/webtech/072700-1.shtml
Duct tape.....A whole lot of Duct Tape
Spyware/Adaware problem click