Destination NAT rules must be placed in a nat chain that is hooked at prerouting so the kernel can translate the destination address before routing. The correct syntax begins with nft add rule, specifies the ip family, the nat table, the prerouting chain, then matches packets arriving on eth0 with TCP destination port 443 and applies dnat to the internal host and port.
The other choices fail for different reasons:
A rule in postrouting executes after routing decisions and is suited for SNAT or masquerade, not DNAT.
Using snat changes the source address, not the destination, so it would not forward traffic to the backend server.
A rule in the filter table with redirect would only forward traffic to a local port on the firewall and never reach 192.168.1.20.
Therefore, the first command is the only one that duplicates the original iptables DNAT behavior.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DNAT in nftables?
Open an interactive chat with Bash
Why is prerouting used for DNAT in nftables?
Open an interactive chat with Bash
How does nftables differ from iptables when configuring DNAT?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access