On 2/14/06, Howard Lowndes <[EMAIL PROTECTED]> wrote: > I know about BIND views, in fact I use them, but I don't think they will > work here. > > What I need is for lannet.com.au, thisdomain.tld and thatdomain.tld to > all resolve to the same public w.x.y.z externally, but be DNAT'd to > different private 192.168.y.z addresses internally. >
Application-layer proxies are the only way I know of to achieve this. DNAT works at the transport layer; at that layer, the only addressing information you have is the source/destination IPs and source/destination ports. The information which you need to use to distinguish between the internal hosts is a few layers up - in SMTP "to:" headers or HTTP "host:" headers. Unfortunately, you're not going to get any of this data until, at the very earliest, the first packet after the TCP three-way handshake; there's no possible way to perform the DNAT earlier than that because you don't know what the internal destination is going to be. The only way to achieve what you're looking for (that I can think of anyway - I'd be thrilled to be proven wrong) is with an application layer proxy. This could be as simple as a linux machine which sites facing the internet and runs apache with mod_proxy (or squid; or any of a dozen other solutions) for HTTP proxying, $MTA_OF_CHOICE for proxying mail, etc. At the other end of the scale, 'hardware' load-balancers will do the proxying for you with much less overhead (at least in terms of network overhead/latency - not neccessarily in terms of $$$ overhead) The only other thing I can think of is to assign certain ranges of ports to certain machines: eg, ports 10001-12000 on the external interface map to 1-2000 on 192.168.25.1, 12001-14000 map to ports 1-2000 on 192.168.25.2, etc. This gets ugly though, so I'm not going to talk about it further... -- There is nothing more worthy of contempt than a man who quotes himself - Zhasper, 2005 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html