root@router-hostname:~# iptables-save -c | grep DNAT
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d IPv4-dest/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: Server SSH (reflection)" -j DNAT --to-destination 192.168.1.103:22
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d IPv4-dest/32 -p udp -m udp --dport 2222 -m comment --comment "!fw3: Server SSH (reflection)" -j DNAT --to-destination 192.168.1.103:22
[43:1944] -A zone_wan_prerouting -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: Server SSH" -j DNAT --to-destination 192.168.1.103:22
[1:52] -A zone_wan_prerouting -p udp -m udp --dport 2222 -m comment --comment "!fw3: Server SSH" -j DNAT --to-destination 192.168.1.103:22
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[83:4699] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
root@router-hostname:~#
root@router-hostname:~# tcpdump -i any -evn host 192.168.1.103 or tcp port 2222
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
15:17:22.424774 In 00:08:ae:92:22:00 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 48, id 49126, offset 0, flags [DF], proto TCP (6), length 60)
IPv4-source.25332 > IPv4-dest.2222: Flags [S], cksum 0xf5a3 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344633665 ecr 0,nop,wscale 7], length 0
15:17:22.425002 Out 00:23:69:a3:a8:0f ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 47, id 49126, offset 0, flags [DF], proto TCP (6), length 60)
IPv4-source.25332 > 192.168.1.103.22: Flags [S], cksum 0xcc60 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344633665 ecr 0,nop,wscale 7], length 0
15:17:22.425040 Out 00:23:69:a3:a8:0f ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 47, id 49126, offset 0, flags [DF], proto TCP (6), length 60)
IPv4-source.25332 > 192.168.1.103.22: Flags [S], cksum 0xcc60 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344633665 ecr 0,nop,wscale 7], length 0
15:17:23.453960 In 00:08:ae:92:22:00 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 48, id 49127, offset 0, flags [DF], proto TCP (6), length 60)
IPv4-source.25332 > IPv4-dest.2222: Flags [S], cksum 0xf1a4 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344634688 ecr 0,nop,wscale 7], length 0
15:17:23.454144 Out 00:23:69:a3:a8:0f ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 47, id 49127, offset 0, flags [DF], proto TCP (6), length 60)
IPv4-source.25332 > 192.168.1.103.22: Flags [S], cksum 0xc861 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344634688 ecr 0,nop,wscale 7], length 0
15:17:23.454180 Out 00:23:69:a3:a8:0f ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 47, id 49127, offset 0, flags [DF], proto TCP (6), length 60)
IPv4-source.25332 > 192.168.1.103.22: Flags [S], cksum 0xc861 (correct), seq 1723505095, win 64240, options [mss 1400,sackOK,TS val 3344634688 ecr 0,nop,wscale 7], length 0
15:17:24.408500 B 00:18:dd:22:06:12 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.103 (ff:ff:ff:ff:ff:ff) tell 192.168.1.250, length 46
15:17:24.408574 Out 00:18:dd:22:06:12 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.103 (ff:ff:ff:ff:ff:ff) tell 192.168.1.250, length 46
15:17:24.408500 B 00:18:dd:22:06:12 ethertype ARP (0x0806), length 62: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.103 (ff:ff:ff:ff:ff:ff) tell 192.168.1.250, length 46
^C
15 packets captured
15 packets received by filter
0 packets dropped by kernel
root@router-hostname:~#
Doing the period there's no entries on 192.168.1.103 running "journalctl -u sshd -b" nor does "/var/log/auth.log" exist.