Nftables
parent
537b745776
commit
9dca42d692
|
@ -667,3 +667,83 @@ atd 834 daemon 3uW REG 0,25 4 1442 /run/atd.pid
|
|||
So far nothing sus. But just in case lets disable it.
|
||||
|
||||
- `systemctl disable --now atd`
|
||||
|
||||
|
||||
### NFTTABLES
|
||||
|
||||
```bash
|
||||
oot@ls-2024-9:/var/spool# sudo nft list ruleset
|
||||
table ip nat {
|
||||
chain CNI-5f87a854e5a6d82df88e3543 {
|
||||
ip daddr 10.88.0.0/16 counter packets 0 bytes 0 accept
|
||||
ip daddr != 224.0.0.0/4 counter packets 0 bytes 0 masquerade
|
||||
}
|
||||
|
||||
chain POSTROUTING {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
counter packets 1120 bytes 83208 jump CNI-HOSTPORT-MASQ
|
||||
ip saddr 10.88.0.2 counter packets 0 bytes 0 jump CNI-5f87a854e5a6d82df88e3543
|
||||
}
|
||||
|
||||
chain CNI-HOSTPORT-SETMARK {
|
||||
counter packets 16 bytes 960 meta mark set mark or 0x2000
|
||||
}
|
||||
|
||||
chain CNI-HOSTPORT-MASQ {
|
||||
mark and 0x2000 == 0x2000 counter packets 16 bytes 960 masquerade
|
||||
}
|
||||
|
||||
chain CNI-HOSTPORT-DNAT {
|
||||
meta l4proto tcp tcp dport 8018 counter packets 16 bytes 960 jump CNI-DN-5f87a854e5a6d82df88e3
|
||||
}
|
||||
|
||||
chain PREROUTING {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
fib daddr type local counter packets 2671 bytes 127511 jump CNI-HOSTPORT-DNAT
|
||||
}
|
||||
|
||||
chain OUTPUT {
|
||||
type nat hook output priority -100; policy accept;
|
||||
fib daddr type local counter packets 189 bytes 14877 jump CNI-HOSTPORT-DNAT
|
||||
}
|
||||
|
||||
chain CNI-DN-5f87a854e5a6d82df88e3 {
|
||||
meta l4proto tcp ip saddr 10.88.0.0/16 tcp dport 8018 counter packets 0 bytes 0 jump CNI-HOSTPORT-SETMARK
|
||||
meta l4proto tcp ip saddr 127.0.0.1 tcp dport 8018 counter packets 16 bytes 960 jump CNI-HOSTPORT-SETMARK
|
||||
meta l4proto tcp tcp dport 8018 counter packets 16 bytes 960 dnat to 10.88.0.2:22
|
||||
}
|
||||
}
|
||||
table ip filter {
|
||||
chain CNI-FORWARD {
|
||||
counter packets 0 bytes 0 jump CNI-ADMIN
|
||||
ip daddr 10.88.0.2 ct state related,established counter packets 0 bytes 0 accept
|
||||
ip saddr 10.88.0.2 counter packets 0 bytes 0 accept
|
||||
}
|
||||
|
||||
chain CNI-ADMIN {
|
||||
}
|
||||
|
||||
chain FORWARD {
|
||||
type filter hook forward priority filter; policy accept;
|
||||
counter packets 0 bytes 0 jump CNI-FORWARD
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
DNAT for Port `8018: The CNI-HOSTPORT-DNAT` chain redirects TCP traffic destined for port 8018 to 10.88.0.2:22.
|
||||
This is unusual because it's translating incoming traffic on port 8018 to SSH port 22 on an internal IP address.
|
||||
|
||||
Firstly lets backup the ruleset.
|
||||
|
||||
```bash
|
||||
sudo nft list ruleset > ~/nftables-backup-$(date +%F).nft
|
||||
```
|
||||
|
||||
But the in the config file, the definition is not present.
|
||||
|
||||
```bash
|
||||
grep -R "meta l4proto tcp ip saddr 10.88.0.0/16 tcp dport 8018 counter packets" /etc
|
||||
```
|
||||
Returns empty match.
|
||||
|
||||
But iguess this is just for the container to communicate. Nothing to worry about iguess.
|
||||
|
|
Loading…
Reference in New Issue