Publish an inside server on one public port

Scenario

An inside web server, 10.0.1.10, serves on TCP 8080. It's on private space, so the outside world can't reach it directly. You need to publish exactly that one service on the router's public address, 203.0.113.1:8080, and nothing else inside should be exposed.

The router is a Linux box; interfaces and routing are set up, and the inside server is already listening on 8080. No NAT is configured yet.

Topology

• Inside: 10.0.1.0/24; server 10.0.1.10 (listening on TCP 8080), gateway 10.0.1.1 (router eth1)
• Outside: router 203.0.113.1 (eth2), client 203.0.113.10

Your job

Configure inbound destination-NAT (port forwarding) so the outside client reaches the inside server by hitting 203.0.113.1:8080. Only port 8080 should be forwarded.

What "done" looks like

The outside client gets a response from the inside server through 203.0.113.1:8080, and the router's ruleset shows the DNAT rule.

Teaches: destination NAT / port forwarding (the inbound counterpart to PAT), and scoping it to one port so you publish a service without exposing the host.

Tooling note

Free path: an nftables dnat rule in prerouting on the Linux router. On a NOS the equivalent is a static ip nat inside source / port-forward statement.