Thank you Bazsi, I understand the concept, but I don't know how to do it. Can you post any rule example? Thanks El 12/10/20 a las 7:17, Balazs Scheidler escribió: > By the time the packet gets to PREROUTING/input the nat transformation > is already applied, so your ruleset doesn't see the original port. > > You will need to match against its state (as someone mentioned) or mark > it when doing the dnat decision and check the mark as it will persist > accross the nat manipulation. > > Bazsi > > On Sun, Oct 11, 2020, 20:02 Alberto <alberto@xxxxxxxxxxx > <mailto:alberto@xxxxxxxxxxx>> wrote: > > > > Hi everybody, > > I'm starting with nftables, and I want to log SSH inputs, but I have SSH > port in another port with "prerouting" with this rule: > > ----------------------------------------------- > table ip my-nat { > chain PREROUTING { > type nat hook prerouting priority 0; policy accept; > iifname "enp1s0" tcp dport 9999 dnat to 192.168.1.3:22 > <http://192.168.1.3:22> > ... > ----------------------------------------------- > > If my Input rule is the following... > > ----------------------------------------------- > table inet my-fw { > chain INPUT { > type filter hook input priority 0; policy drop; > ... > # Ports permit with DNAT... > iifname "enp1s0" tcp dport { 22, 9999 } ct state new log prefix > "[NFTABLES] SSH: " accept > ... > ----------------------------------------------- > > But this log any try to 22 port (there are thousands daily), and I want > log only conections to 9999 port, because only on this port, return > login. > > If my Inputs rule are the following... > > ----------------------------------------------- > ... > iifname "enp1s0" tcp dport 9999 ct state new log prefix "[NFTABLES] > SSH: " accept > iifname "enp1s0" tcp dport 22 ct state new accept > ... > ----------------------------------------------- > > It log nothing. > If my Inputs rule is the reverse... > > ----------------------------------------------- > ... > iifname "enp1s0" tcp dport 9999 ct state new accept > iifname "enp1s0" tcp dport 22 ct state new log prefix "[NFTABLES] > SSH: " accept > ... > ----------------------------------------------- > > It log everything, another time, is the same as the initial rule. > > > Any Idea? > > Regards, > Alberto >
