From 9dca42d6922bd87e522c55f79ace9762fd948c0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ga=C5=A1per=20Spagnolo?= <gasper.spagnolo@outlook.com>
Date: Fri, 2 Feb 2024 11:52:54 +0100
Subject: [PATCH] Nftables

---
 report/Report.md | 80 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)

diff --git a/report/Report.md b/report/Report.md
index f3721b2..b4b9f94 100644
--- a/report/Report.md
+++ b/report/Report.md
@@ -667,3 +667,83 @@ atd     834 daemon    3uW  REG   0,25        4   1442 /run/atd.pid
 So far nothing sus. But just in case lets disable it.
 
  - `systemctl disable --now atd`
+
+
+### NFTTABLES
+
+```bash
+oot@ls-2024-9:/var/spool# sudo nft list ruleset
+table ip nat {
+        chain CNI-5f87a854e5a6d82df88e3543 {
+                ip daddr 10.88.0.0/16  counter packets 0 bytes 0 accept
+                ip daddr != 224.0.0.0/4  counter packets 0 bytes 0 masquerade
+        }
+
+        chain POSTROUTING {
+                type nat hook postrouting priority srcnat; policy accept;
+                 counter packets 1120 bytes 83208 jump CNI-HOSTPORT-MASQ
+                ip saddr 10.88.0.2  counter packets 0 bytes 0 jump CNI-5f87a854e5a6d82df88e3543
+        }
+
+        chain CNI-HOSTPORT-SETMARK {
+                 counter packets 16 bytes 960 meta mark set mark or 0x2000
+        }
+
+        chain CNI-HOSTPORT-MASQ {
+                mark and 0x2000 == 0x2000 counter packets 16 bytes 960 masquerade
+        }
+
+        chain CNI-HOSTPORT-DNAT {
+                meta l4proto tcp  tcp dport 8018 counter packets 16 bytes 960 jump CNI-DN-5f87a854e5a6d82df88e3
+        }
+
+        chain PREROUTING {
+                type nat hook prerouting priority dstnat; policy accept;
+                fib daddr type local counter packets 2671 bytes 127511 jump CNI-HOSTPORT-DNAT
+        }
+
+        chain OUTPUT {
+                type nat hook output priority -100; policy accept;
+                fib daddr type local counter packets 189 bytes 14877 jump CNI-HOSTPORT-DNAT
+        }
+
+        chain CNI-DN-5f87a854e5a6d82df88e3 {
+                meta l4proto tcp ip saddr 10.88.0.0/16 tcp dport 8018 counter packets 0 bytes 0 jump CNI-HOSTPORT-SETMARK
+                meta l4proto tcp ip saddr 127.0.0.1 tcp dport 8018 counter packets 16 bytes 960 jump CNI-HOSTPORT-SETMARK
+                meta l4proto tcp tcp dport 8018 counter packets 16 bytes 960 dnat to 10.88.0.2:22
+        }
+}
+table ip filter {
+        chain CNI-FORWARD {
+                 counter packets 0 bytes 0 jump CNI-ADMIN
+                ip daddr 10.88.0.2 ct state related,established counter packets 0 bytes 0 accept
+                ip saddr 10.88.0.2 counter packets 0 bytes 0 accept
+        }
+
+        chain CNI-ADMIN {
+        }
+
+        chain FORWARD {
+                type filter hook forward priority filter; policy accept;
+                 counter packets 0 bytes 0 jump CNI-FORWARD
+        }
+}
+```
+
+DNAT for Port `8018: The CNI-HOSTPORT-DNAT` chain redirects TCP traffic destined for port 8018 to 10.88.0.2:22. 
+This is unusual because it's translating incoming traffic on port 8018 to SSH port 22 on an internal IP address.
+
+Firstly lets backup the ruleset.
+
+```bash
+sudo nft list ruleset > ~/nftables-backup-$(date +%F).nft
+```
+
+But the in the config file, the definition is not present.
+
+```bash
+grep -R "meta l4proto tcp ip saddr 10.88.0.0/16 tcp dport 8018 counter packets" /etc
+```
+Returns empty match.
+
+But iguess this is just for the container to communicate. Nothing to worry about iguess.