iptables: get access to the network with nat and a public IPv4

I have a public IPV4 address, a host and a virtual machine (IP
With iptables on the host side, I managed to redirect only port 22 (ssh) to the host with the help of the nat table.

Nat table:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination

Filter table:

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

Now I wish I could access the web from the host and the virtual machine.

I tried to add in the Filter tab:

iptables -I OUTPUT -o eth0 -d -j ACCEPT

But it is still impossible to get web access from the host. By the way, PING from the host to an external IP works perfectly.

NAT table:

target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
DNAT       all  --  anywhere             anywhere             to:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

target     prot opt source               destination

FILTER table:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination                     
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED

Any help is welcome!

apache 2.2: web server behind double NAT with virtual hosts

I have an Apache 2.2 web server running in a Debian distribution behind a double NAT configuration (Google Fiber Box and Linksys Router). I have configured several virtual hosts, however, it seems that by doing so, I have removed the ability to access my Linksys configuration page when I am on the Fiber network.

In the fiber box, I have forwarded all TCP and UDP ports to the Linksys ( However, when I write that IP while I'm on the network, the default virtual host page appears, instead of the router configuration page, as expected.

apache2ctl -S

(Fri Sep 27 21:07:29.429423 2019) (alias:warn) (pid 2838) AH00671: The Alias directive in /etc/apache2/sites-enabled/recipes.conf at line 1 will probably never match because it overlaps an earlier Alias.
VirtualHost configuration:
*:80                   is a NameVirtualHost
     default server 136.zz.yyy.xxx (/etc/apache2/sites-enabled/000-default.conf:1)
     port 80 namevhost 136.zz.yyy.xxx (/etc/apache2/sites-enabled/000-default.conf:1)
     port 80 namevhost football.my.site (/etc/apache2/sites-enabled/football.conf:3)
     port 80 namevhost recipes.my.site(/etc/apache2/sites-enabled/recipes.conf:3)
     port 80 namevhost webmail.my.site (/etc/apache2/sites-enabled/roundcube.conf:4)
     port 80 namevhost webmail.my.site (/etc/apache2/sites-enabled/squirrelmail.conf:21)
*:443                  is a NameVirtualHost
     default server my.site (/etc/apache2/sites-enabled/default-ssl.conf:2)
     port 443 namevhost my.site (/etc/apache2/sites-enabled/default-ssl.conf:2)
     port 443 namevhost football.my.site (/etc/apache2/sites-enabled/football.conf:27)
     port 443 namevhost recipes.my.site (/etc/apache2/sites-enabled/recipes.conf:27)
     port 443 namevhost webmail.my.site (/etc/apache2/sites-enabled/roundcube.conf:32)
     port 443 namevhost webmail.my.site (/etc/apache2/sites-enabled/squirrelmail.conf:45)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
User: name="www-data" id=33
Group: name="www-data" id=33

Can anyone help? Happy to post more information, but I'm not completely sure what someone would need to help. AUNT!

Mikrotik NAT works in RDP but not in ports 5555 or 8787

I have a router with some simple NAT rule that allowed me to connect remotely to my remote desktop (now disabled), the problem is that NAT does not work on ports 5555 and 8787 with a similar configuration, see my configuration below.

(admin@MikroTik) > ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Remote Desktop
  chain=dstnat action=dst-nat to-addresses= to-ports=3389 protocol=tcp 
  in-interface=ether1-WAN dst-port=3389 log=yes log-prefix="RDP->" 

  1    ;;; SDR
  chain=dstnat action=dst-nat to-addresses= to-ports=5555 protocol=tcp 
  in-interface=ether1-WAN dst-port=5555 log=yes log-prefix="SDR->" 

  2    ;;; R Studio
  chain=dstnat action=dst-nat to-addresses= to-ports=8787 protocol=udp 
  in-interface=ether1-WAN dst-port=8787 log=yes log-prefix="" 

  3    ;;; defconf: masquerade
  chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="MASK ->" 

Thank you

nat: we need 3,000 devices to be connected to the internet

I need to make 3,000 devices use the Internet in a large room.

Do we need multiple public Internet IPs so they can use the Internet at the same time? o Can we have a single public Internet IP with 3000 devices connected to the Internet through a router?

Would there be a problem if we only have a public Internet IP with 3000 connected devices that use this unique public IP all together for the public Internet connection?

NAT would be overloaded if there is only 1 public IP? If not, how does the router (or device responsible for NAT) know how to divide traffic from the external port to the appropriate port of the appropriate internal device?

IPTables KVM NAT port forward goes to wrong VM

Good day,

I have 2 virtual machines that run with libvirt.

Machine 1 : PostgreSQL on port 5432
Machine 2 : Attempting to use psql to connect to a PostgreSQL server on the internet.

Forward port 5432 to access PostgreSQL on Machine 1 from outside / as a service.

The problem I have: Machine 2 tries to connect to a PostgreSQL server on the Internet, but when the packets return, they are forwarded to machine 1, which then responds to machine 2. Therefore, I never establish a proper connection to the external PostgreSQL.

How do I change my port forwarding rules to adapt to this?

(I used to use nat-networking in VirtualBox that took care of that for me, but KVM is cooler πŸ™‚

Current Rules Machine 1:

/sbin/iptables -I FORWARD -o virbr66 -d -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 5432 -j DNAT --to

How secure is NAT to keep my network private?

To expand How can a web page scan my local internal network from the Internet? How secure is my private network against possible threats such as DoS attacks, phishing attacks, disclosure of information about my private network services, etc. Have there been recent attacks?

I recently read (https://www.sans.org/reading-room/whitepapers/networkdevs/easy-steps-cisco-extended-access-list-231) that without an ACL it establishes the incoming ICMP echo request (ICMP type 8), ICMP exceeded in time (ICMP type 11) could reveal its intranet structure. That's right?

Routing: SMB shares inaccessible over 1: 1 NAT

I have a problem related to the shared folders of Win 10 SMB in my company's network. There is a subnet (let's call it production) that contains 3 hosts that are industrial PCs used as machine controllers, connected through an mGuard router to the rest of the network (let's call it company). There is (supposedly) a 1: 1 NAT configuration that is supposed to assign host 1 of the production network to an address in the company's network. What I want to achieve is a shared folder on host 1 in the production network, accessible through NAT in the company network. I do not have access to the router configuration, since it is configured remotely by the machine manufacturer, however, the NAT seems to be configured as requested, since there is an address in the company network that responds to the Ping and VNC connection requests, but I cannot access any shared folder. The shares also appear to be configured correctly, as they are viewed from the other two hosts in the subnet. MGuard supposedly does not filter any applications, Windows firewalls are disabled on the controller PC

NMAP of the NAT address seen from the company's network:

NSE: Loaded 148 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 11:43

Completed NSE at 11:43, 0.00s elapsed

Initiating NSE at 11:43

Completed NSE at 11:43, 0.00s elapsed

Initiating ARP Ping Scan at 11:43

Scanning (1 port)

Completed ARP Ping Scan at 11:43, 0.52s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 11:43

Completed Parallel DNS resolution of 1 host. at 11:43, 0.00s elapsed

Initiating SYN Stealth Scan at 11:43

Scanning (1000 ports)

Discovered open port 3389/tcp on

Discovered open port 5900/tcp on

Discovered open port 1433/tcp on

Completed SYN Stealth Scan at 11:43, 4.02s elapsed (1000 total ports)

Initiating Service scan at 11:43

Scanning 3 services on

Completed Service scan at 11:44, 11.01s elapsed (3 services on 1 host)

Initiating OS detection (try #1) against

Retrying OS detection (try #2) against

NSE: Script scanning

Initiating NSE at 11:44

Completed NSE at 11:44, 5.12s elapsed

Initiating NSE at 11:44

Completed NSE at 11:44, 0.00s elapsed

Nmap scan report for

Host is up (0.0017s latency).

Not shown: 997 filtered ports


1433/tcp open  ms-sql-s      Microsoft SQL Server 2014 12.00.5000.00; SP2

| ms-sql-ntlm-info: 

|   Target_Name: 8957PU10-50K2

|   NetBIOS_Domain_Name: 8957PU10-50K2

|   NetBIOS_Computer_Name: 8957PU10-50K2

|   DNS_Domain_Name: 8957Pu10-50K2

|   DNS_Computer_Name: 8957Pu10-50K2

|_  Product_Version: 10.0.14393

| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback

| Issuer: commonName=SSL_Self_Signed_Fallback

| Public Key type: rsa

| Public Key bits: 1024

| Signature Algorithm: sha1WithRSAEncryption

| Not valid before: 2019-08-19T03:53:15

| Not valid after:  2049-08-19T03:53:15

| MD5:   7c01 11b2 b195 05bd 7557 949c 9f95 7057

|_SHA-1: 4542 4e51 1207 f65e 01a4 6ab3 0d4c 7391 09f1 4f09

|_ssl-date: 2019-08-19T09:44:45+00:00; +30s from scanner time.

3389/tcp open  ms-wbt-server Microsoft Terminal Services

| ssl-cert: Subject: commonName=8957Pu10-50K2

| Issuer: commonName=8957Pu10-50K2

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2019-07-14T03:56:52

| Not valid after:  2020-01-13T03:56:52

| MD5:   e8bb 8d4a 32fa 6b74 c313 3d52 8f93 1790

|_SHA-1: c2b5 d8a8 44e1 a089 0525 6665 945e eceb 387b 70eb

|_ssl-date: 2019-08-19T09:44:45+00:00; +31s from scanner time.

5900/tcp open  vnc           VNC (protocol 3.8)

| vnc-info: 

|   Protocol version: 3.8

|   Security types: 

|     VNC Authentication (2)

|     Tight (16)

|   Tight auth subtypes: 

|_    STDV VNCAUTH_ (2)

MAC Address: A8:74:1D:76:A1:0C (Phoenix Contact Electronics Gmbh)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose|WAP

Running (JUST GUESSING): Linux 2.6.X (97%), D-Link embedded (96%), TRENDnet embedded (96%), Microsoft Windows 2016|Vista (91%), FreeBSD 6.X (87%)

OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/h:dlink:dwl-624%2b cpe:/h:dlink:dwl-2000ap cpe:/h:trendnet:tew-432brp cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_vista::sp1:home_premium cpe:/o:freebsd:freebsd:6.2

Aggressive OS guesses: Linux 2.6.18 - 2.6.22 (97%), D-Link DWL-624+ or DWL-2000AP, or TRENDnet TEW-432BRP WAP (96%), Microsoft Windows Server 2016 (91%), Microsoft Windows Vista Home Premium SP1 (89%), FreeBSD 6.2-RELEASE (87%)

No exact OS matches for host (test conditions non-ideal).

Uptime guess: 0.244 days (since Mon Aug 19 05:52:30 2019)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=257 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

|_clock-skew: mean: 30s, deviation: 0s, median: 30s

| ms-sql-info: 


|     Version: 

|       name: Microsoft SQL Server 2014 SP2

|       number: 12.00.5000.00

|       Product: Microsoft SQL Server 2014

|       Service pack level: SP2

|       Post-SP patches applied: false

|_    TCP port: 1433



1   1.67 ms

The host name 1 netbios is 8957PU10-50K2

Some related resources:


Thanks in advance.

amazon web services – Asymmetric return paths in a with a NAT in a VPC?

To better understand how AWS VPCs (and NATs in general) work, I was reading this question where the goal was to have the following:

# GOAL   local
A.B.C.D/32      nat-451b3be9       igw-b4ac67d0  

This is what intrigued me:

Also note that the configuration you are trying will allow outbound connections, but will never allow incoming connections (initiated from outside) from the ABCD address to anything on this subnet, because the return path is asymmetric through the NAT gateway .

The NAT gateway is not designed to be created on any subnet for which it provides NAT services. Instances reach external resources through the route table of their subnet (points to NAT-GW for instances without public IP, points to IGW for instances with public IP) and NAT-GW reaches the Internet through its route table Subnet (points to IGW).

If an instance is using its own public IP, it must route the responses through IGW because that is where the incoming traffic comes from, and it cannot attempt to exit through NAT-GW because the outside pair would see the response coming from the source Incorrect IP if traffic was translated.

I am trying to understand exactly why I would allow outbound but not inbound traffic. This is what I am thinking: let's say the EC2 instance has an elastic IP and is in a subnet with a routing table like the previous one. The NAT is then in a separate subnet. Tell A.B.C.D initiated a connection to the elastic IP of EC2. The connection would not enter the VPC, would the routing table send it through NAT, which would then go to the instance and then return through NAT? However, since it was sent through NAT, the address was translated (as stated above) and the same would drop the packet since it did not come from the IP of the EC2 instance. Is this the right understanding? It will still reach the EC2 instance, but the response packets will never be received by A.B.C.D?

Configure multiple static IPs through NAT in OpenWRT with Nginx

Sorry if this has been asked before, I did an exhaustive search and found nothing similar, so I hope someone can point me in the right direction or help out with the settings. This is what I am working with:

I have 5 static IPs from the ISP, which enter my own router running OpenWRT (it's an R6300v2), and I need the router to not only run Nginx, but NAT those 5 IPs through a single trunk line to a Cisco 2690G L2 / L3 switch, which then branches to approximately two dozen virtual machines that run on four physical hosts.

Now, before going too technical crazy, I guess my first question is this: is it better to use a VM to run as a firewall / router / nginx server instead of the router? I have another physical host sitting on hold if that is the way I should go.

Otherwise, my second question is: how do I combine nginx and NAT routing so that traffic enters a single WAN port and goes to the switch on a single LAN port? I have an idea of ​​the basics, and I can make things work individually, VLAN, NAT, trunking (something), but the Nginx and the combination of everything in a configuration is spinning.

Again, my apologies if this has been done / done before, I may not have written my search correctly, and I sincerely apologize if this is a totally ecological question. However, any help that can or can be provided would be greatly appreciated.

If it helps, I am the only technician working on this network, I have been building it from scratch, so I have unlimited access to the machines, the physical plant, all the addressing information, literally everything, so if there is any change that Should it be done or any other information you should provide, please let me know, I am happy to do so.

Thank you very very much,


Access the local server (Plex) behind double NAT locally

My ISP Modem also has a DHCP wifi that is close to my kitchen, but I never use it, I am using my AirPort Extreme for all my devices and I configured it in DHCP mode because I prefer IP (10.xx. xx.xx instead of 192.xx.xx.xx) (therefore, versus double NAT)

In short, I have noticed that Wi-Fi speeds (AirPort Extreme) are terribly slow in the kitchen and Plex really struggles there.
Now, when I connect to this Wi-Fi ISP modem, it is not able to detect Plex locally, it is shown as a remote connection.

Are there any network settings in Plex that I can do to prevent this and make Plex available locally on the ISP modem (after all ISP and AirPort Extreme modems are connected via Ethernet)

Thank you