[nftables] Log to DNAT rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hi everybody,

I'm starting with nftables, and I want to log SSH inputs, but I have SSH
port in another port with "prerouting" with this rule:

-----------------------------------------------
table ip my-nat {
  chain PREROUTING {
      type nat hook prerouting priority 0; policy accept;
      iifname "enp1s0" tcp dport 9999 dnat to 192.168.1.3:22
      ...
-----------------------------------------------

If my Input rule is the following...

-----------------------------------------------
table inet my-fw {
  chain INPUT {
     type filter hook input priority 0; policy drop;
     ...
     # Ports permit with DNAT...
     iifname "enp1s0" tcp dport { 22, 9999 } ct state new log prefix
"[NFTABLES] SSH: " accept
     ...
-----------------------------------------------

But this log any try to 22 port (there are thousands daily), and I want
log only conections to 9999 port, because only on this port, return login.

If my Inputs rule are the following...

-----------------------------------------------
     ...
     iifname "enp1s0" tcp dport 9999 ct state new log prefix "[NFTABLES]
SSH: " accept
     iifname "enp1s0" tcp dport 22 ct state new accept
     ...
-----------------------------------------------

It log nothing.
If my Inputs rule is the reverse...

-----------------------------------------------
    ...
    iifname "enp1s0" tcp dport 9999 ct state new accept
    iifname "enp1s0" tcp dport 22 ct state new log prefix "[NFTABLES]
SSH: " accept
     ...
-----------------------------------------------

It log everything, another time, is the same as the initial rule.


Any Idea?

Regards,
Alberto




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux