I've been playing with nftables
recently and set up logging every incoming TCP SYN
packet to my local machine. I noticed every minute I get a couple of random connection attempts on various ports (mainly 22, 23, 31725).
I have a very standard setup, i.e. a laptop connected to a router from an ISP, which of course does NAT. My nftables
ruleset:
table inet filter {
chain input {
type filter hook ingress device "wlp3s0" priority filter; policy accept;
tcp flags syn log flags skuid
}
}
In syslog I get a lot of logs similar to this:
IN=wlp3s0 OUT= MAC=... SRC=183.XXX.XXX.XXX DST=192.168.0.101 LEN=44 TOS=0x08 PREC=0x20 TTL=46 ID=2096 PROTO=TCP SPT=24040 DPT=37215 WINDOW=32161 RES=0x00 SYN URGP=0
I presume this attempts are some bots scanning all IPs, so they also try to connect to my router's IP on port 31725. My machine is behind NAT, so I'm wondering how is that even possible? Why doesn't my router drop this packet, but sends it to my machine instead? What could be the possible reasons for that?