1

I've been playing with nftables recently and set up logging every incoming TCP SYN packet to my local machine. I noticed every minute I get a couple of random connection attempts on various ports (mainly 22, 23, 31725).

I have a very standard setup, i.e. a laptop connected to a router from an ISP, which of course does NAT. My nftables ruleset:

table inet filter {
    chain input {
        type filter hook ingress device "wlp3s0" priority filter; policy accept;
        tcp flags syn log flags skuid
    }
}

In syslog I get a lot of logs similar to this:

IN=wlp3s0 OUT= MAC=... SRC=183.XXX.XXX.XXX DST=192.168.0.101 LEN=44 TOS=0x08 PREC=0x20 TTL=46 ID=2096 PROTO=TCP SPT=24040 DPT=37215 WINDOW=32161 RES=0x00 SYN URGP=0

I presume this attempts are some bots scanning all IPs, so they also try to connect to my router's IP on port 31725. My machine is behind NAT, so I'm wondering how is that even possible? Why doesn't my router drop this packet, but sends it to my machine instead? What could be the possible reasons for that?

Improve this question

1 Answer 1

Reset to default
1

The most likely case is that the router has been manually configured to DNAT everything to your internal address. It could be either a broad port-forwarding rule (e.g. one that matches ports 1-65535), or it could be a "DMZ" setting on the router (which is just a "fallback" rule that DNATs everything to the same host).

Improve this answer
2
  • Thanks, something similar was actually the case. However, I got the same problem on my university's network but it turned out that eduroam networks assign public addresses (at least at my University).
    – Franciszek Malinka
    Commented Jun 12, 2023 at 8:47
  • Eduroam only centralizes authentication; it doesn't provide any addressing or network access – that's still done individually by each organization that provides the Eduroam SSID.
    – grawity_u1686
    Commented Jun 12, 2023 at 9:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .