By reverse proxying. Run a load balancer on a single machine and have that reverse proxy connections to their destination.
But what if you insist on not using a proxy for whatever reason?
When people say "NAT", they're usually talking about SNAT/MASQUERADE, i.e. NATing outbound connections. What you're asking for here is port forwards/DNAT, i.e. applying NAT to redirect an inbound connection.
If you want to NAT inbound connections, you can do it without NATing outbound connections. Essentially: you don't need to "NAT", you just need to port forward.
Honestly, I think you should just suck it up and use different hostnames for different services, because running all of your services on one IP is really bad for security since it makes it much easier to enumerate every service you're running -- it only takes scanning 65k ports on one IP to find them all, rather than 65k ports on 2^64 IPs. That's the difference between megabytes and yottabytes of port scan traffic.
(If you NATed outbound connections to also come from this IP then things get even worse because every outbound connection from any of your machines immediately informs the server of the IP needed to make an inbound connection to you. That's a completely unnecessary security sacrifice.)
But if you're going to run everything on one IP without proxying, you only need port forwards to do it, you don't need to run the network on some local IP range too.
> I think you should just suck it up and use different hostnames for different services, because running all of your services on one IP is really bad for security since it makes it much easier to enumerate every service you're running
I really, really don't want to do this for a ton of reasons. Port scanning isn't high on my security worries, to be honest. I've been dealing with that for decades and am well-protected, so that's not a compelling reason for me.
But what if you insist on not using a proxy for whatever reason?
When people say "NAT", they're usually talking about SNAT/MASQUERADE, i.e. NATing outbound connections. What you're asking for here is port forwards/DNAT, i.e. applying NAT to redirect an inbound connection.
If you want to NAT inbound connections, you can do it without NATing outbound connections. Essentially: you don't need to "NAT", you just need to port forward.
Honestly, I think you should just suck it up and use different hostnames for different services, because running all of your services on one IP is really bad for security since it makes it much easier to enumerate every service you're running -- it only takes scanning 65k ports on one IP to find them all, rather than 65k ports on 2^64 IPs. That's the difference between megabytes and yottabytes of port scan traffic.
(If you NATed outbound connections to also come from this IP then things get even worse because every outbound connection from any of your machines immediately informs the server of the IP needed to make an inbound connection to you. That's a completely unnecessary security sacrifice.)
But if you're going to run everything on one IP without proxying, you only need port forwards to do it, you don't need to run the network on some local IP range too.