Hi everybody, I'm starting with nftables, and I want to log SSH inputs, but I have SSH port in another port with "prerouting" with this rule: ----------------------------------------------- table ip my-nat { chain PREROUTING { type nat hook prerouting priority 0; policy accept; iifname "enp1s0" tcp dport 9999 dnat to 192.168.1.3:22 ... ----------------------------------------------- If my Input rule is the following... ----------------------------------------------- table inet my-fw { chain INPUT { type filter hook input priority 0; policy drop; ... # Ports permit with DNAT... iifname "enp1s0" tcp dport { 22, 9999 } ct state new log prefix "[NFTABLES] SSH: " accept ... ----------------------------------------------- But this log any try to 22 port (there are thousands daily), and I want log only conections to 9999 port, because only on this port, return login. If my Inputs rule are the following... ----------------------------------------------- ... iifname "enp1s0" tcp dport 9999 ct state new log prefix "[NFTABLES] SSH: " accept iifname "enp1s0" tcp dport 22 ct state new accept ... ----------------------------------------------- It log nothing. If my Inputs rule is the reverse... ----------------------------------------------- ... iifname "enp1s0" tcp dport 9999 ct state new accept iifname "enp1s0" tcp dport 22 ct state new log prefix "[NFTABLES] SSH: " accept ... ----------------------------------------------- It log everything, another time, is the same as the initial rule. Any Idea? Regards, Alberto