1

This is probably a really basic question for most of you guys out there. But i'm quite new to networking with linux etc. Heres the scenario: I have 3 webservers inside a network. lets say they have the following host names and ip address:

server1 = 192.168.0.1 server2 = 192.168.0.2 server3 = 192.168.0.3

All trafic comes in to the router and DMZ is server1. eg: example.com will bring me to local host on server1 and i can ssh over the internet to server1 using my static ip address and example.com. What i want is that if i use server1.example.com it will go to server1, and server2.example.com will go to server2, etc.

I guess this is all sorted using DNS with BIND? Am i at least on the right track? Does anyone have any info how i can set this up or a link to a tutorial or something?

I realise i could change the ssh port for each server but this is not optimal because all traffic (http/ftp/ssh/etc) should be forwarded to for example server3 when server3.example.com is used.

Tunneling to each server via server1 is also not an option for me because users of server3 should not have access to server1.

Any help would be much appreciated! Thanks!

YakobeYak
  • 113
  • 1
  • 6

4 Answers4

2

This is a grossly-simplified explanation, but what you want to do cannot be achieved without changing ports on the outside because the firewall that's in front of your 3 servers doesn't "care" what the hostname is; it only cares about IP addresses and ports and as such has no way of knowing what server it is that you want to connect to.

Now if you can burn a couple of extra public IP addresses, you can do 1:1 NAT (sometimes called "DMZ mode") so that server1, server2, server3 effectively have their own public IP addresses and then you can create server1.example.com to resolve to server1's NAT'ed public IP address and so on.

There might be an SSH daemon or reverse proxy out there that "understands" the SSH protocol enough to do this by hostname, but my guess is not (and perhaps someone well-versed in the SSH v2 protocol can elaborate).

gravyface
  • 13,957
  • 19
  • 68
  • 100
  • Thanks for your help! I guess what i want just isn't going to happen huh? If server1 is a DNS and gets all traffic for *.example.com could it not forward traffic for server2.example.com to the internal ip address 192.168.0.2 on the network? But i guess the problem here is that this internal ip address is meaningless to the outside world huh? – YakobeYak May 11 '11 at 14:49
  • Correct. Because you're using NAT, the internal IP is not visible to the "outside" and therefore can't be used. Why not just setup one server as the outside-accessible SSH server and from there, SSH into your other servers? That's pretty much the standard way of doing things and has no impact on concurrency -- i.e. you can have multiple SSH sessions. – gravyface May 11 '11 at 14:56
  • The problem is that these webservers need to be accessed via customers that use SSH GUI's such as Cyberduck where they cannot tunnel from internet->server1->server2. Also, customer 1 uses one server and customer 2 uses another so they shouldn't have to tunnel through another server. Tunnelling has been fine for me, but now other people need specific requirements and, as i said in the description, i'm not so great with this networking config stuff (yet - gotta learn i guess) ;) – YakobeYak May 11 '11 at 15:04
  • you really need to update the requirements in your question -- we're all spending needless time prying requirements out of you on this. So again, back to my point about firewalls: use port 22 for server 1, port 222 for server 2, port 2222 and notify your clients to use the proper port in Cyberduck. Either that, or get more public IPs and give each server their own public IP directly or via 1:1 NAT. – gravyface May 11 '11 at 15:08
  • Thanks gravyface. And really sorry for not making the requirement so clear (it's just a biproduct of my lack of knowledge in this field). I guess i'll need more public IP addresses then to accomplish what i need. And for servers that only run websites and dont need direct SSH i can continue to use apache's mod proxy on server1 to redirect. I really appreciate your help tho'. – YakobeYak May 11 '11 at 15:32
0

You could tie each server's sshd to a different port and port forward the different ports to the correct IP. Alternately, you could ssh into Server1 and from there access servers 2 & 3.

uSlackr
  • 6,412
  • 21
  • 37
  • thanks for your reply. unfortunately i need to keep ssh on port 22 for each machine. also it needs to be direct without tunnelling because sometimes other people need to access a machine without having the rights to another – YakobeYak May 11 '11 at 13:57
  • You might want to update your question with your requirements. – Bart Silverstrim May 11 '11 at 13:58
  • Updated the question. Thanks for your help. I hope it is clearer now. – YakobeYak May 11 '11 at 14:15
0

You're saying you have one server in the DMZ but it has an internal address, and you have one public address available and one server currently accessible.

If you have one IP but want to SSH into three servers, you will most likely HAVE to have some compromise on the port. It's not hard. Any SSH client can take another port argument.

What I'd normally recommend is using port forwarding on your router to open three ports mapped to your internal server IP's, say port 220 goes to server1, port 221 goes to server2, and port 222 goes to server 3.

This won't have anything to do with your web serving though. Or your DNS. You'd connect to your ssh server like myhost.com on port 221 or whatever port you want to access. On the server itself you can still keep the port at 22 for sshd as long as your router is mapping externalIP:220->server1:22 and so on.

Bart Silverstrim
  • 31,172
  • 9
  • 67
  • 87
  • surely it must be possible to do this without changing the ports? isn't it just configuring server2.example.com to go to server2 and server3.example.com to go to server3 using server1 as a DNS server? – YakobeYak May 11 '11 at 14:08
  • @YakobeYak - you only have 1 IP. What do you intend to have server3.example.com resolve too? Since you only have 1 address, you have to differentiate the servers by port. That's simply how IP works. – JimB May 11 '11 at 14:22
  • Thanks for your help guys. This might be where i'm tripping up here. Maybe it's just not possible. What i thought i could do is use use dns to link the example.com to 217.217.217.217 (the static wan ip) to get to my server1 from the internet. Then use dns on server1 to send traffic for server2.example.com to server2 which has and internal ip of 192.168.0.2. Is this just not possible then? Must every webserver have a static wan ip? Sorry for the noobiness. – YakobeYak May 11 '11 at 14:30
  • DNS doesn't control the port you go to. But really it's not an issue; just tell them what port to connect to. – Bart Silverstrim May 11 '11 at 14:49
  • @YakobeYak - DNS resolves names to IP addresses. It has nothing to do with where the traffic is routed. And yes, being reachable on the internet means having a public IP address. – JimB May 11 '11 at 14:53
  • Still being a noob, sorry: I dont get it tho... i also want http traffic for server2.example.com to go to server2. and i cant really change the port in this case because people that type server2.example.com in the browser will expect port 80. And what if i buy examplefive.com and want to send http and ssh trafic to server5 within my network? – YakobeYak May 11 '11 at 14:55
  • @JimB - thanks, i'm slowly starting to understand i think. So for each server i have it looks like i'll need a public ip address. could by any chance use dynamicdns to get to the computers? or is this still not a solution because it's still not an IP – YakobeYak May 11 '11 at 14:58
  • @YakobeYak - You really need to just go and learn a little bit about networking, instead of shooting in the dark and asking random questions. Dynamic DNS is still just DNS, albeit set dynamically. – JimB May 11 '11 at 15:06
  • @JimB - I know, i really need to learn more about networking. I've been reading all sorts of tutorials and info sites but clearly i still have some massive holes in my knowledge. I would love to do a course or something to lern more, but i'm part of a small startup company and budget is tight. You dont by any chance know any "recommended reading" or websites that might help with this topic do you? Thanks sooooo much for all your help and info you have given me. I'm certainly a lot further along in my understanding because of it. I really need to get these concepts under my belt. – YakobeYak May 11 '11 at 15:26
  • @YakobeYak - Try a library or bookstore. "Networking for Dummies" (pretty basic, but may straighten out concepts for you), or the "Networking Bible" might help. There may be better books (I haven't looked), but I think a logically laid out book will help you more right now than bit's and pieces from the internet. – JimB May 11 '11 at 15:39
  • @JimB - i think you are right. off to the bookstore it is then... And thanks again (esp. for your patience ;) – YakobeYak May 11 '11 at 15:42
0

The simplest solution is to choose three port numbers and arrange port forwarding at your (cable/DSL) router.

e.g. if your router's external IP-address is 172.16.45.56

forward  172.16:45.56 port 17021 to 192.168.0.1 port 22
forward  172.16:45.56 port 17022 to 192.168.0.2 port 22
forward  172.16:45.56 port 17023 to 192.168.0.3 port 22

From the internet you just SSH to 172.16:45.56 port 17022 say.

RedGrittyBrick
  • 3,832
  • 1
  • 17
  • 23