Recently I had to Log nated traffic in PREROUTING chain on CentOS7 , is still impossible in firewalld !!!! :-(

So I switched back to iptables firewall, which is still possible in CentOS7, I hope RHEL8 will have a better firewalling solution.
The idea of firewalld is ok, but firewalld brings more limitations than features.

How to switch back to iptables:

yum remove firewalld
yum install iptables-services iptables
systemctl enable iptables
systemctl restart iptables

And finally here is the way to log the chains you need:

vi /etc/sysconfig/iptables
*nat
-A PREROUTING -m limit --limit 1/sec --limit-burst 7 -j LOG --log-prefix "[IPTABLES PREROUTING "
# do not nat apache traffic
-A PREROUTING -s 10.8.0.0/16  -d 10.0.40.10/32 -p tcp -m tcp --dport 80  -j DNAT --to-destination 10.0.40.10:80
-A PREROUTING -s 10.8.0.0/16 -p tcp -m tcp --dport 21  -j DNAT --to-destination 10.0.40.10:3128
-A PREROUTING -s 10.8.0.0/16 -p tcp -m tcp --dport 80  -j DNAT --to-destination 10.0.40.10:3128
-A PREROUTING -s 10.8.0.0/16 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.40.10:3129
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT  -m limit --limit 1/s --limit-burst 7   -j LOG --log-prefix "[IPTABLES INPUT "
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
#http transparent
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
#https transparent
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3129 -j ACCEPT
#classic proxy
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m limit --limit 1/sec --limit-burst 7 -j LOG --log-prefix "[IPTABLES FORWARD "
-A FORWARD -j REJECT --reject-with icmp-host-prohibited