Alberto <alberto@xxxxxxxxxxx> wrote:
> > I'm starting with nftables, and I want to log SSH inputs, but I have SSH
> > port in another port with "prerouting" with this rule:
> >
> > -----------------------------------------------
> > table ip my-nat {
> > chain PREROUTING {
> > type nat hook prerouting priority 0; policy accept;
> > iifname "enp1s0" tcp dport 9999 dnat to 192.168.1.3:22
> > <http://192.168.1.3:22>
> > ...
> > But this log any try to 22 port (there are thousands daily), and I want
> > log only conections to 9999 port, because only on this port, return
> > login.
> >
> > If my Inputs rule are the following...
> >
> > -----------------------------------------------
> > ...
> > iifname "enp1s0" tcp dport 9999 ct state new log prefix "[NFTABLES]
> > SSH: " accept
> > iifname "enp1s0" tcp dport 22 ct state new accept
> > ...
> > -----------------------------------------------
> >
> > It log nothing.
iifname "enp1s0" meta l4proto tcp ct state new ct original proto-dst 9999 log prefix "[NFTABLES] SSH: " accept
