From: "Eliezer Croitor" <ngtech1ltd@gmail.com>
To: netfilter@vger.kernel.org
Subject: RE: [nftables] Log to DNAT rule
Date: Sun, 11 Oct 2020 21:31:33 +0300 [thread overview]
Message-ID: <002501d69ffc$bfe94880$3fbbd980$@gmail.com> (raw)
In-Reply-To: <1b8888e3-f368-73d0-c8cc-b4e04ff4901a@bersol.info>
You can try to use the "ct status dnat".
https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Ct
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@gmail.com
-----Original Message-----
From: Alberto <alberto@bersol.info>
Sent: Sunday, October 11, 2020 1:43 PM
To: netfilter@vger.kernel.org
Subject: [nftables] Log to DNAT rule
Hi everybody,
I'm starting with nftables, and I want to log SSH inputs, but I have SSH
port in another port with "prerouting" with this rule:
-----------------------------------------------
table ip my-nat {
chain PREROUTING {
type nat hook prerouting priority 0; policy accept;
iifname "enp1s0" tcp dport 9999 dnat to 192.168.1.3:22
...
-----------------------------------------------
If my Input rule is the following...
-----------------------------------------------
table inet my-fw {
chain INPUT {
type filter hook input priority 0; policy drop;
...
# Ports permit with DNAT...
iifname "enp1s0" tcp dport { 22, 9999 } ct state new log prefix
"[NFTABLES] SSH: " accept
...
-----------------------------------------------
But this log any try to 22 port (there are thousands daily), and I want
log only conections to 9999 port, because only on this port, return login.
If my Inputs rule are the following...
-----------------------------------------------
...
iifname "enp1s0" tcp dport 9999 ct state new log prefix "[NFTABLES]
SSH: " accept
iifname "enp1s0" tcp dport 22 ct state new accept
...
-----------------------------------------------
It log nothing.
If my Inputs rule is the reverse...
-----------------------------------------------
...
iifname "enp1s0" tcp dport 9999 ct state new accept
iifname "enp1s0" tcp dport 22 ct state new log prefix "[NFTABLES]
SSH: " accept
...
-----------------------------------------------
It log everything, another time, is the same as the initial rule.
Any Idea?
Regards,
Alberto
next prev parent reply other threads:[~2020-10-11 18:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <dfc15fba-2fff-a658-c4db-fc0a64603fb6@bersol.info>
2020-10-11 10:43 ` [nftables] Log to DNAT rule Alberto
2020-10-11 18:31 ` Eliezer Croitor [this message]
[not found] ` <CAKcfE+aM_r4J9t=8GnjhXbZfBeDj7B2_66O_CYeY94NpvWcxOw@mail.gmail.com>
2020-10-12 10:31 ` Alberto
2020-10-12 11:08 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='002501d69ffc$bfe94880$3fbbd980$@gmail.com' \
--to=ngtech1ltd@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.