gistfile1.txt

ubuntu@ip-172-31-23-17:~$ sudo iptables -t nat -F lxc-nat
ubuntu@ip-172-31-23-17:~$ sudo iptables -t nat -D PREROUTING -j lxc-nat
ubuntu@ip-172-31-23-17:~$  sudo iptables -t nat -X lxc-nat
ubuntu@ip-172-31-23-17:~$ sudo iptables -t nat -N lxc-nat
ubuntu@ip-172-31-23-17:~$  sudo iptables -t nat -A PREROUTING -j lxc-nat
ubuntu@ip-172-31-23-17:~$ sudo iptables -t nat -A lxc-nat -d 172.31.23.17 -p tcp --dport 40000 -j DNAT --to 10.0.3.95:80
ubuntu@ip-172-31-23-17:~$  sudo iptables --list\
> ^C
ubuntu@ip-172-31-23-17:~$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             ip-192-168-122-0.ec2.internal/24  ctstate RELATED,ESTABLISHED
ACCEPT     all  --  ip-192-168-122-0.ec2.internal/24  anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ubuntu@ip-172-31-23-17:~$ nmap -v -A 172.31.23.17

Starting Nmap 6.40 ( http://nmap.org ) at 2014-08-19 00:41 UTC
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 00:41
Scanning 172.31.23.17 [2 ports]
Completed Ping Scan at 00:41, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:41
Completed Parallel DNS resolution of 1 host. at 00:41, 0.00s elapsed
Initiating Connect Scan at 00:41
Scanning ip-172-31-23-17.ec2.internal (172.31.23.17) [1000 ports]
Discovered open port 22/tcp on 172.31.23.17
Discovered open port 5000/tcp on 172.31.23.17
Completed Connect Scan at 00:41, 0.03s elapsed (1000 total ports)
Initiating Service scan at 00:41
Scanning 2 services on ip-172-31-23-17.ec2.internal (172.31.23.17)
Completed Service scan at 00:41, 6.05s elapsed (2 services on 1 host)
NSE: Script scanning 172.31.23.17.
Initiating NSE at 00:41
Completed NSE at 00:41, 0.12s elapsed
Nmap scan report for ip-172-31-23-17.ec2.internal (172.31.23.17)
Host is up (0.00046s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     (protocol 2.0)
| ssh-hostkey: 1024 af:84:11:5a:cd:bd:34:ad:3e:ec:18:c6:4c:f5:42:78 (DSA)
| 2048 76:8a:ff:95:d5:32:04:fc:21:73:21:7f:c1:48:22:16 (RSA)
|_256 44:8a:54:71:42:53:ac:a8:a8:f2:ba:59:2d:af:39:5f (ECDSA)
5000/tcp open  http    Werkzeug httpd 0.9.6 (Python 2.7.6)
|_http-methods: HEAD OPTIONS GET
|_http-title: Login - LXC Web Panel
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.40%I=7%D=8/19%Time=53F29D29%P=x86_64-pc-linux-gnu%r(NULL
SF:,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");

NSE: Script Post-scanning.
Initiating NSE at 00:41
Completed NSE at 00:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.56 seconds
ubuntu@ip-172-31-23-17:~$ curl 172.31.23.17:40000
curl: (7) Failed to connect to 172.31.23.17 port 40000: Connection refused

ubuntu@ip-172-31-23-17:~$ nmap -v -A 172.31.23.17 -p 40001

Starting Nmap 6.40 ( http://nmap.org ) at 2014-08-19 00:56 UTC
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 00:56
Scanning 172.31.23.17 [2 ports]
Completed Ping Scan at 00:56, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:56
Completed Parallel DNS resolution of 1 host. at 00:56, 0.00s elapsed
Initiating Connect Scan at 00:56
Scanning ip-172-31-23-17.ec2.internal (172.31.23.17) [1 port]
Completed Connect Scan at 00:56, 0.00s elapsed (1 total ports)
Initiating Service scan at 00:56
NSE: Script scanning 172.31.23.17.
Initiating NSE at 00:56
Completed NSE at 00:56, 0.00s elapsed
Nmap scan report for ip-172-31-23-17.ec2.internal (172.31.23.17)
Host is up (0.000051s latency).
PORT      STATE  SERVICE VERSION
40001/tcp closed unknown

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
ubuntu@ip-172-31-23-17:~$ sudo iptables -L -nv
Chain INPUT (policy ACCEPT 6030 packets, 384K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 ACCEPT     tcp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 ACCEPT     udp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      lxcbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 5802 packets, 403K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
ubuntu@ip-172-31-23-17:~$ 

heres the output from iptables-save:

ubuntu@ip-172-31-23-17:~$ sudo sh -c "iptables-save > /etc/iptables.rules"
ubuntu@ip-172-31-23-17:~$ cat /etc/iptables.rules 
# Generated by iptables-save v1.4.21 on Tue Aug 19 01:07:46 2014
*mangle
:PREROUTING ACCEPT [6639:424029]
:INPUT ACCEPT [6639:424029]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6216:479109]
:POSTROUTING ACCEPT [6216:479109]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Aug 19 01:07:46 2014
# Generated by iptables-save v1.4.21 on Tue Aug 19 01:07:46 2014
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2116:127432]
:POSTROUTING ACCEPT [2098:125880]
:lxc-nat - [0:0]
-A PREROUTING -j lxc-nat
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A lxc-nat -d 172.31.23.17/32 -p tcp -m tcp --dport 40000 -j DNAT --to-destination 10.0.3.95:80
COMMIT
# Completed on Tue Aug 19 01:07:46 2014
# Generated by iptables-save v1.4.21 on Tue Aug 19 01:07:46 2014
*filter
:INPUT ACCEPT [220:15309]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [134:35799]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -d 10.0.3.95/32 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Tue Aug 19 01:07:46 2014
ubuntu@ip-172-31-23-17:~$