One External to Multiple Internal IPs - Page 3
Page 3 of 3 FirstFirst 123
Results 21 to 30 of 30

Thread: One External to Multiple Internal IPs

  1. #21
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by Dome
    I know i can tell them to change ports, but its not what I want, it doesnt solve my problem, just creates more problems... go try telling endusers to use even port 8080 as the webserver port, they will go nuts.

    The only solution i see to my problem is buying like a C block of IP addresses, but that would be way too expensive, which would defete what I am trying to do.
    What about using subdomains to tell the end users which are setup with a redirect
    to the hosts using alternate ports?

  2. #22
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Well... I'd disagree with whether it's possible unless someone alters the IP version 4 protocol.... It doesn't contain the destination domain.... That's why we have DNS, to resolve that prior to transmission. The packets contain only the destination IP address and port. The packet is handled by the receiving device based entirely upon that. If it tried to do a reverse DNS on an IP that contains multiple hosts its always going to resolve back to itself at a single IP..... Then port number is the only variable at the NAT device..... Forward the port to multiple internal IP's will confuse the router at best..... It probably won't be allowed by the router itself.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #23
    Banned
    Join Date
    Sep 2001
    Posts
    522
    Originally posted here by ss2chef
    What about using subdomains to tell the end users which are setup with a redirect
    to the hosts using alternate ports?
    Hrm.... do you mean lets say external ip is 209.42.40.111

    box1.domain.org:22 ---> 209.42.40.111:55051
    box2.domain.org:22 ---> 209.42.40.111:55052

    etc.

    is that possible?

    or still same problem?

  4. #24
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by Dome
    Hrm.... do you mean lets say external ip is 209.42.40.111

    box1.domain.org:22 ---> 209.42.40.111:55051
    box2.domain.org:22 ---> 209.42.40.111:55052

    etc.

    is that possible?

    or still same problem?
    good problem...let me play with it...I thought you could set up sshd in a "gateway" configuration for problems like this.

  5. #25
    Banned
    Join Date
    Sep 2001
    Posts
    522
    ok one of my buddies on IRC said its def possible....

    his answer is NAT to quote
    <Anti-Hero> box2.doman.org resolves to pub IP which is then NAT to internal
    addy., firewall rules port forward to 22. box2.domain.com
    resolves to pub IP which is NAT to internal addy.

    he will explain it more sometime tonight or tomorrow when we both have time

  6. #26
    Banned
    Join Date
    Sep 2001
    Posts
    522
    NM, missunderstood, thats not intirely possible, i will update if i find a solution

  7. #27
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    742
    I still think if you use the code from this site and edit it then it should work fine.

    for instance if you have everything come from the outside and hit a main server on the inside then use that server to distribute the information to your internal network I would assume it would work.... So you make the request to box2.domain.org the request goes to a server the server see it
    if Request.ServerVariables("SERVER_NAME") = "www.box2.domain.org" or _
    Request.ServerVariables("SERVER_NAME") = "box2.domain.org" then
    file = "192.XXX.XXX.XXX:PortNumber"
    siteId = 2
    Given if you go this route you may have to change the ports internally but maybe not, it may just make the request if you have a name server inside your network or if you make your main server a Name Server also.

    Just some thoughts for you
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  8. #28
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Isn't this what isp's to every day???
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  9. #29
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Router/firewalls don't NAT the same port to different internal IP's....

    Look at the protocol.... He's not just asking to host www, mail and ftp..... Which can be done at the server level, (note _server level_ the requests all go to the same box....), he want's multiple boxes hosting ssh.... well thats port 22..... Show me in the RFC where TCP/IP has the frigging domain name in the packet... please...... I'd love to learn.....

    As it stands the router/firewall choses what to do with the packet on a port level, ('cos the address is always the same - it's own WAN address).... so, unless they are now programmed with telepathic powers how would they know which host the port 22 request is destined for????
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #30
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by Spyrus
    I still think if you use the code from this site and edit it then it should work fine.

    for instance if you have everything come from the outside and hit a main server on the inside then use that server to distribute the information to your internal network I would assume it would work.... So you make the request to box2.domain.org the request goes to a server the server see it


    Given if you go this route you may have to change the ports internally but maybe not, it may just make the request if you have a name server inside your network or if you make your main server a Name Server also.

    Just some thoughts for you
    Hey Hey,

    Good to see yer looking Spyrus, however this is ASP and will only work for a webserver. Since Dome wants to deal with SSH and other servies it won't work. I used to run a similar perl script on my server but it works because the HTTP protocol contains the SERVER_NAME variable, however when you recieve SSH there's no way to distinguish between the name, like Tiger Shark mentioned......

    I suppose you could rewrite applications .. I know you aren't a programmer, but if you could find yourself one... you'll be set.. here's what you'd need to do.

    2 apps are required:
    The first is an SSH Client that will let you specify your source port, who knows this may already exist.
    The second is a gateway running a, for lack of a better description, a modified version of PAT.

    Basically what you do is have the gateway app look at the source port on the packets and forward them on to specific internal IPs based on the SRC port. Have it remember which source ports are associated with which Internal IPs.

    You'd end up with something like this.

    Gateway:
    Forward SRC PORT 2222, DST PORT 22 to box1:22
    Forward SRC PORT 2223, DST PORT 22 to box2:22
    Forward SRC PORT 2224, DST PORT 22 to box3:22

    SSH from X.X.X.X:2222 to ExternalIP:22, the gateway will forward you to box1.


    Now that I've thought about it, ettercap does packet mangling, although I'm sure with some research you could find better software. Just configure a shitload of ettercap rules, and have it mangle the packets appropriately. Each Above forward rule would be a filter and it would mangle the packet to contain the internal IP address, rather than the External Address. This means you'll have to have 1 gateway PC that shares the net connection with the rest of the PCs (through switch, hub, whichever... 2 NICs in the PC).. however it should work, now all you have to do is find an SSH client that will let you specify the source port.

    Peace,

    HT

    Damn, that took a while to write.

    [Edit]
    So... the more I look at that the more I realize it's a horrid idea, may as well just have them specify a different destination port... so how about this.

    1 Gateway machine serving the rest of the machines, this is similar to the webpage of links idea. For HTTP use the script that was posted above, or grab a simple php/perl one (you could get one that'll function in less than 10 lines). Then use CNAME entries to reference them for website access. For SSH, have a script listening on port 22 of the primary machine, When they login, display a menu.. no shell available.. just a menu. Let them choose an internal Machine (i.e. 1: Box1 2: Box2 3: Box3). They can then just hit a number (1,2,3) and be forwarded to that machine.

    [/Edit]
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •