How to expose one of my private network boxes which has a webserver to Internet?
More rigidly, box A has two interfaces: eth0 and tap1. eth0 is used to connect to ISP, my IP is 77.37.194.101. Box B is connected to tap1, in this subnet box A has IP 10.1.1.1 and box B 10.1.1.16. How to make box B reachable from Internet with 77.37.194.101?
Both machines have Ubuntu.
One option would be DNAT via netfilter on Box A:
That only exposes port 80.
Tap interfaces are virtual, usually used for virtualization. If this is the case you should create another tap interface for a DMZ. Assign the DMZ tap interface to the virtual server. There should not be an IP assigned to the host on the DMZ interface and there should not be an internal network assigned to any machine in the DMZ. Then use the NAT routing. This way if the server is hacked there is not an internal network connecting the host and any other machines or virtuals that you may have. (There is still a small risk from virtualization hacks but you're much safer than giving outside access to the internal network.)
Security precautions and routing should be the same in virtuals or physical machines. Give a quick read to any standard firewall Howto's. (monowall, ipcop, etc.)
If you just do NAT routing on the internal network any compromise in your web server will give full access to your entire internal network and host machine and all virtuals on the internal network if this is a virtual.
Shell access and file transfer should be done over SSH to the virtual, never over internally shared file access (smb, nfs, etc.).