My router is running a mangle rule to see new connection attempts to my router on the input chain.
I am curious why I am seeing so many attempts from different Google IP addresses trying to connect to my router on the input chain with connection states of New?
I can understand this on the forward chain and established\related on the input if I am making requests to Google, but not the new.
Portscanners, live with it.
It doesn’t make sense to try to understand why The Big Bad World is trying to get into your device.
Your only concern is to make sure they have a real hard time to get in so they give up.
It may not even be actually coming from Google addresses, many ISPs do not care to check the source address their clients send packets “from”, so it is extremely easy to forge a packet from an arbitrary address. But if your equipment responded to these packets, the response would go to that address, so you could involuntarily participate in a (D)DoS attack. I’ve seen that happen, it’s not just a theory.
Or you may be the actual target - someone sends a packet to a Google machine “from” your address and Google “responds” to you.
Or those packets are actually coming from Google but they may be perfectly legitimate, like late responses to e.g. DNS requests that came after the pinhole created by a request from your internal network has timed out. QUIC also uses UDP as transport so even a late QUIC response may cause the same effect.
Or they may even be TCP packets that have arrived after the firewall has forwarded a FIN from the client in your internal network - if loose-tcp-tracking under ip firewall connection tracking is set to yes, which is the default, the firewall doesn’t care about presence of SYN and absence of any other TCP flag in the received packet and labels it as new simply because it does not match any existing connection by addresses and ports.
Or the machines on the Google addresses may have been infected and they run the port scanners as @Holvoetn suggests.
In either case, @Holvoetn’s last sentence is what matters.
Just drop all as the last rule, and dont log anything, unless you like useless stress.
Now you may have an insecure setup that is attracting attention, but since you dont provide one, cannot say for sure.
but that would be on a FWD chain, wouldn’t it?
Not really - such a packet comes to the WAN IP of the router, and since it does not match the original connection as the latter has timed out in the meantime, it does not get "un-src-nated" in prerouting, so its destination address remains the own one of the router, hence it goes to the input chain after routing.
oh of course. sorry missed that part of the "time out"
yeah makes sense now. thx