What is required to make a web server on a private LAN visible on the Public Internet with only the web server port exposed?

For a web server on a private LAN to be accessible from the public internet while only exposing the web server port, several configurations must be correctly applied. The correct answer involves both enabling connection tracking on the NAT router and setting up destination NAT (dst-nat) to direct traffic from the public IP to the private IP of the web server.

Connection tracking is essential because it allows the router to keep track of active connections and ensures that the return traffic from the web server can properly reach the initiating public IP address. Without connection tracking, the router would not know how to handle incoming packets from the public internet that need to be forwarded back to the private web server.

Destination NAT, on the other hand, is critical for mapping the public IP address and specific port (e.g., port 80 for HTTP) to the internal IP address of the web server. This configuration allows the router to redirect requests coming to its public interface at the specified port to the appropriate internal machine that is hosting the web service.

Thus, both requirements are necessary to correctly configure the access and visibility of the web server from the external network while maintaining security and proper routing of requests.