Hello gents,

here is the problem i am facing, any help will be much appreciated.

I have a Linux PC configured as gateway to my private network.
Also the gateway holds the DNS of wwwDOTmy-domainDOTcom.
Gateway has 2 NICs
ETH0 - going outside
ETH1 - inside the network

Inside the network i have 20 PCs most of them are workstations with Windows but i also have 4 to 8 Linux Servers.

I am interested in exposing the Linux Servers ( for the sake of the problem definition let's say all 8 of them ) i have within the network, on Internet for direct access through the Gateway of course.

I have 8 external IPs ( the ISP provide me with 8 IPs as subclasses to the ETH0 IP ).

1-st question is ( from back to end ):
=================
What do i need to do in order to expose each of the Servers to get accesss from Internet as "subdomains" or more clear :
If my DNS is wwwDOTmy-domainDOTcom
i would like to get the 8 intranet Servers accessed as:
Server1DOTmy-domainDOTcom
Server2DOTmy-domainDOTcom
...
Server8DOTmy-domainDOTcom

2-nd question is :
================
I did set up 1-st the IPs the ISP gave to me ( as subclasses to the IP o f my domain ) to each Server , but i can not get them pinged from outside.
So i wonder what else i need to do beside setting up the external IPs as i recived from the ISP through ETH1, in order to get the Servers 1-st of all pinged from Internet, and only afterwards the 1-st question in which i will substitute the IPs with "subdomain" names like Server1DOTmy-domainDOTcom for Server1 and so on.

Thank you.
I will really appreciate.

BR.

Answer to 1:

You would need an DNS-Server. Either it being external or internal. External would be easier cause your already have a dns entry that serves for www.mydomain.com.
Just see if you can get the person providing this dns entry to setup some subdomains refering to the 8 ip's your IPS gave you.

Internal would be a bit more work involved. You have to setup an own dns-server (bind f.e.) and have the dns entry for www.mydomain.de to reflect your internal dns-server. Check out the bind manual on the website of bind how to do this.

Answer to 2:

As every outward connection to any of these 8 ip's comes through your gateway you have to distribute from there. Easy way is to use iptables and nat to forward every incoming traffic for one ip to the server you want it to. The internal ip's need not and should not have the same ip as the outward ip's.
Check out the man page of iptables.

There are definetly other solution for this, but I don't know them.

And a final point of advice. Please don't have the workstation and the servers in one network range for security reasons. If you have an extra NIC put it into your gateway and connect only the servers to that nic.

You have a long way to go. Hope it helps.

Regards Zhjim

Hi zhjim,
and thank you for your reply.

I did manage to do all i mentioned here.
Yes indeed , i manage the DNS so that i was in complete control of what i was asking and therefore found my way in doing so.

Yes,
i would like to follow your advice ( was my thought in the 1-st place as well ) in all you said about keeping Servers and workstations inside a LAN and expose the Servers outside, on different NICs.
I am not sure yet how to do it and if it worthes for me to add a 3-rd NIC.
You see ? the Servers are not for permanent exposure , but only for when i need to.

More than a secure issue here i have a network infrastructure question:
For when i want the LAN Servers to be seen from Internet and for when i want them to be used only on the intranet LAN , i would like to be able to make a single switch between the differnet Internet TCP/IP settings of the Networks on the Servers.

Is this possible ?
My problem is that the internal NIC needs to stay on the sub-class of IPs that will allow me to make the Servers online to Internet when i want to , i wonder if i use Ips within the same sub-class of IPs which are not published will stay offline for Internet ... i need to check this... if you think better networking infrastructure pls let me know.

all the best.

The normal setup for lan with exposed servers. Straigth from the books.

Gateway with three nics.
First nic connected to Internet (WAN)
Second nic connected to Workstationswitch (LAN)
Third nic connected to Demilitarized Zone holding the servers (DMZ)

There are some more complex setups, but thats the easiest one and I think the best fitting for your situtation.

Definetly possible. And some ways to do this.

You could change the ip addresses of the server so that they match the ip a query from outward dns would get.
Means you just setup the DNS zone for the servers, setup the gatway to do the natting, but don't give the server the ip that is shown in the zone. And then when you need incoming connect form INET you just change the ips of the server.

Or a maybe better solution is doing this through DNS.
Ok. you can tell a DNS server to return diffrent ips depending on where the query comes from. So when you want the INET to acces your servers you would change your dns settings and the INET can reach your servers. This way you can also block the acces from local net to the servers during this time.

Maybe we can find a even better solution when you describe your LAN setup you actually are using know. With switches and everything.

I definetly can find some more usable solution, but am a bit exhausted right know. Friday u know.

Zhjim

I am having a similar problem. I have a bunch of workstations (including server) on my internal LAN (192.168.1.0 segment). I have LinkSys Wireless Router acting as a Gateway to ISP internet.
I would like to configure ONE workstation (say 192.168.1.10) to be accesssed from the Internet. How do I configure LinkSys router?

Thanks in advance,

Pingala