[Firewall] logging with NAT_TCP_FORWARD

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Thu Mar 18 18:08:36 CET 2010

This indeed does not work since the traffic is NAT-ed and never hits the 
INPUT chain. You could use a custom rule to implement it like this:

iptables -A PREROUTING -m state --state NEW -p tcp --dport 5901 -m limit 
--limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix 


Andy Brown wrote:
> Hi All,
> Have had a dig through a couple of times and can't see the immediate 
> answer to this. I'd like each connection made to valid NAT_TCP_FORWARD 
> entries to be logged for auditing purposes.
> I've setup the forwarding in NAT_TCP_FORWARD
> and then put into LOG_TCP_INPUT the ports I'm doing the NAT_TCP_FORWARD 
> but it didn't log. Is there a simple way to enable this please?
> LOG_TCP_INPUT="5901"
> Thanks in advance.

Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
Arno's (Linux IPTABLES Firewall) Homepage:

More information about the Firewall mailing list