* [nftables] Log to DNAT rule [not found] <dfc15fba-2fff-a658-c4db-fc0a64603fb6@bersol.info> @ 2020-10-11 10:43 ` Alberto 2020-10-11 18:31 ` Eliezer Croitor [not found] ` <CAKcfE+aM_r4J9t=8GnjhXbZfBeDj7B2_66O_CYeY94NpvWcxOw@mail.gmail.com> 0 siblings, 2 replies; 4+ messages in thread From: Alberto @ 2020-10-11 10:43 UTC (permalink / raw) To: netfilter@vger.kernel.org Hi everybody, I'm starting with nftables, and I want to log SSH inputs, but I have SSH port in another port with "prerouting" with this rule: ----------------------------------------------- table ip my-nat { chain PREROUTING { type nat hook prerouting priority 0; policy accept; iifname "enp1s0" tcp dport 9999 dnat to 192.168.1.3:22 ... ----------------------------------------------- If my Input rule is the following... ----------------------------------------------- table inet my-fw { chain INPUT { type filter hook input priority 0; policy drop; ... # Ports permit with DNAT... iifname "enp1s0" tcp dport { 22, 9999 } ct state new log prefix "[NFTABLES] SSH: " accept ... ----------------------------------------------- But this log any try to 22 port (there are thousands daily), and I want log only conections to 9999 port, because only on this port, return login. If my Inputs rule are the following... ----------------------------------------------- ... iifname "enp1s0" tcp dport 9999 ct state new log prefix "[NFTABLES] SSH: " accept iifname "enp1s0" tcp dport 22 ct state new accept ... ----------------------------------------------- It log nothing. If my Inputs rule is the reverse... ----------------------------------------------- ... iifname "enp1s0" tcp dport 9999 ct state new accept iifname "enp1s0" tcp dport 22 ct state new log prefix "[NFTABLES] SSH: " accept ... ----------------------------------------------- It log everything, another time, is the same as the initial rule. Any Idea? Regards, Alberto ^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [nftables] Log to DNAT rule 2020-10-11 10:43 ` [nftables] Log to DNAT rule Alberto @ 2020-10-11 18:31 ` Eliezer Croitor [not found] ` <CAKcfE+aM_r4J9t=8GnjhXbZfBeDj7B2_66O_CYeY94NpvWcxOw@mail.gmail.com> 1 sibling, 0 replies; 4+ messages in thread From: Eliezer Croitor @ 2020-10-11 18:31 UTC (permalink / raw) To: netfilter You can try to use the "ct status dnat". https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Ct ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@gmail.com -----Original Message----- From: Alberto <alberto@bersol.info> Sent: Sunday, October 11, 2020 1:43 PM To: netfilter@vger.kernel.org Subject: [nftables] Log to DNAT rule Hi everybody, I'm starting with nftables, and I want to log SSH inputs, but I have SSH port in another port with "prerouting" with this rule: ----------------------------------------------- table ip my-nat { chain PREROUTING { type nat hook prerouting priority 0; policy accept; iifname "enp1s0" tcp dport 9999 dnat to 192.168.1.3:22 ... ----------------------------------------------- If my Input rule is the following... ----------------------------------------------- table inet my-fw { chain INPUT { type filter hook input priority 0; policy drop; ... # Ports permit with DNAT... iifname "enp1s0" tcp dport { 22, 9999 } ct state new log prefix "[NFTABLES] SSH: " accept ... ----------------------------------------------- But this log any try to 22 port (there are thousands daily), and I want log only conections to 9999 port, because only on this port, return login. If my Inputs rule are the following... ----------------------------------------------- ... iifname "enp1s0" tcp dport 9999 ct state new log prefix "[NFTABLES] SSH: " accept iifname "enp1s0" tcp dport 22 ct state new accept ... ----------------------------------------------- It log nothing. If my Inputs rule is the reverse... ----------------------------------------------- ... iifname "enp1s0" tcp dport 9999 ct state new accept iifname "enp1s0" tcp dport 22 ct state new log prefix "[NFTABLES] SSH: " accept ... ----------------------------------------------- It log everything, another time, is the same as the initial rule. Any Idea? Regards, Alberto ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <CAKcfE+aM_r4J9t=8GnjhXbZfBeDj7B2_66O_CYeY94NpvWcxOw@mail.gmail.com>]
* Re: [nftables] Log to DNAT rule [not found] ` <CAKcfE+aM_r4J9t=8GnjhXbZfBeDj7B2_66O_CYeY94NpvWcxOw@mail.gmail.com> @ 2020-10-12 10:31 ` Alberto 2020-10-12 11:08 ` Florian Westphal 0 siblings, 1 reply; 4+ messages in thread From: Alberto @ 2020-10-12 10:31 UTC (permalink / raw) To: netfilter Thank you Bazsi, I understand the concept, but I don't know how to do it. Can you post any rule example? Thanks El 12/10/20 a las 7:17, Balazs Scheidler escribió: > By the time the packet gets to PREROUTING/input the nat transformation > is already applied, so your ruleset doesn't see the original port. > > You will need to match against its state (as someone mentioned) or mark > it when doing the dnat decision and check the mark as it will persist > accross the nat manipulation. > > Bazsi > > On Sun, Oct 11, 2020, 20:02 Alberto <alberto@bersol.info > <mailto:alberto@bersol.info>> wrote: > > > > Hi everybody, > > I'm starting with nftables, and I want to log SSH inputs, but I have SSH > port in another port with "prerouting" with this rule: > > ----------------------------------------------- > table ip my-nat { > chain PREROUTING { > type nat hook prerouting priority 0; policy accept; > iifname "enp1s0" tcp dport 9999 dnat to 192.168.1.3:22 > <http://192.168.1.3:22> > ... > ----------------------------------------------- > > If my Input rule is the following... > > ----------------------------------------------- > table inet my-fw { > chain INPUT { > type filter hook input priority 0; policy drop; > ... > # Ports permit with DNAT... > iifname "enp1s0" tcp dport { 22, 9999 } ct state new log prefix > "[NFTABLES] SSH: " accept > ... > ----------------------------------------------- > > But this log any try to 22 port (there are thousands daily), and I want > log only conections to 9999 port, because only on this port, return > login. > > If my Inputs rule are the following... > > ----------------------------------------------- > ... > iifname "enp1s0" tcp dport 9999 ct state new log prefix "[NFTABLES] > SSH: " accept > iifname "enp1s0" tcp dport 22 ct state new accept > ... > ----------------------------------------------- > > It log nothing. > If my Inputs rule is the reverse... > > ----------------------------------------------- > ... > iifname "enp1s0" tcp dport 9999 ct state new accept > iifname "enp1s0" tcp dport 22 ct state new log prefix "[NFTABLES] > SSH: " accept > ... > ----------------------------------------------- > > It log everything, another time, is the same as the initial rule. > > > Any Idea? > > Regards, > Alberto > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [nftables] Log to DNAT rule 2020-10-12 10:31 ` Alberto @ 2020-10-12 11:08 ` Florian Westphal 0 siblings, 0 replies; 4+ messages in thread From: Florian Westphal @ 2020-10-12 11:08 UTC (permalink / raw) To: Alberto; +Cc: netfilter Alberto <alberto@bersol.info> wrote: > > I'm starting with nftables, and I want to log SSH inputs, but I have SSH > > port in another port with "prerouting" with this rule: > > > > ----------------------------------------------- > > table ip my-nat { > > chain PREROUTING { > > type nat hook prerouting priority 0; policy accept; > > iifname "enp1s0" tcp dport 9999 dnat to 192.168.1.3:22 > > <http://192.168.1.3:22> > > ... > > But this log any try to 22 port (there are thousands daily), and I want > > log only conections to 9999 port, because only on this port, return > > login. > > > > If my Inputs rule are the following... > > > > ----------------------------------------------- > > ... > > iifname "enp1s0" tcp dport 9999 ct state new log prefix "[NFTABLES] > > SSH: " accept > > iifname "enp1s0" tcp dport 22 ct state new accept > > ... > > ----------------------------------------------- > > > > It log nothing. iifname "enp1s0" meta l4proto tcp ct state new ct original proto-dst 9999 log prefix "[NFTABLES] SSH: " accept ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-12 11:08 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <dfc15fba-2fff-a658-c4db-fc0a64603fb6@bersol.info>
2020-10-11 10:43 ` [nftables] Log to DNAT rule Alberto
2020-10-11 18:31 ` Eliezer Croitor
[not found] ` <CAKcfE+aM_r4J9t=8GnjhXbZfBeDj7B2_66O_CYeY94NpvWcxOw@mail.gmail.com>
2020-10-12 10:31 ` Alberto
2020-10-12 11:08 ` Florian Westphal
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox