[Firewall] logging with NAT_TCP_FORWARD

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Tue Mar 23 16:46:37 CET 2010

Maybe this works better, not sure:

iptables -t nat -A PREROUTING -m state --state NEW -p tcp --dport 5901 
-m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL
  --log-prefix "PREROUTING_LOG: "

You have added it to custom-rules and enabled it in firewall.conf, right?


Andy Brown wrote:
> Thanks for the code snippet, I've added that into the custom-rules but 
> it still doesn't seem to log.
> Is there a way I can check the rule is there correctly, or any other way 
> of checking why it might not be working?
> Thanks!
> Andy
> Arno van Amersfoort wrote:
>> This indeed does not work since the traffic is NAT-ed and never hits 
>> the INPUT chain. You could use a custom rule to implement it like this:
>> iptables -A PREROUTING -m state --state NEW -p tcp --dport 5901 -m 
>> limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL 
>> --log-prefix "PREROUTING_LOG: "
>> a.
>> Andy Brown wrote:
>>> Hi All,
>>> Have had a dig through a couple of times and can't see the immediate 
>>> answer to this. I'd like each connection made to valid 
>>> NAT_TCP_FORWARD entries to be logged for auditing purposes.
>>> I've setup the forwarding in NAT_TCP_FORWARD
>>> and then put into LOG_TCP_INPUT the ports I'm doing the 
>>> NAT_TCP_FORWARD but it didn't log. Is there a simple way to enable 
>>> this please?
>>> NAT_TCP_FORWARD="5901>"
>>> LOG_TCP_INPUT="5901"
>>> Thanks in advance.

Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
Arno's (Linux IPTABLES Firewall) Homepage:

More information about the Firewall mailing list