You can try to use the "ct status dnat". https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Ct ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx -----Original Message----- From: Alberto <alberto@xxxxxxxxxxx> Sent: Sunday, October 11, 2020 1:43 PM To: netfilter@xxxxxxxxxxxxxxx Subject: [nftables] Log to DNAT rule Hi everybody, I'm starting with nftables, and I want to log SSH inputs, but I have SSH port in another port with "prerouting" with this rule: ----------------------------------------------- table ip my-nat { chain PREROUTING { type nat hook prerouting priority 0; policy accept; iifname "enp1s0" tcp dport 9999 dnat to 192.168.1.3:22 ... ----------------------------------------------- If my Input rule is the following... ----------------------------------------------- table inet my-fw { chain INPUT { type filter hook input priority 0; policy drop; ... # Ports permit with DNAT... iifname "enp1s0" tcp dport { 22, 9999 } ct state new log prefix "[NFTABLES] SSH: " accept ... ----------------------------------------------- But this log any try to 22 port (there are thousands daily), and I want log only conections to 9999 port, because only on this port, return login. If my Inputs rule are the following... ----------------------------------------------- ... iifname "enp1s0" tcp dport 9999 ct state new log prefix "[NFTABLES] SSH: " accept iifname "enp1s0" tcp dport 22 ct state new accept ... ----------------------------------------------- It log nothing. If my Inputs rule is the reverse... ----------------------------------------------- ... iifname "enp1s0" tcp dport 9999 ct state new accept iifname "enp1s0" tcp dport 22 ct state new log prefix "[NFTABLES] SSH: " accept ... ----------------------------------------------- It log everything, another time, is the same as the initial rule. Any Idea? Regards, Alberto
