Hi Daniel, the port number for outgoing NATted connections is chosen from the emphemeral port number range, which can be read and configured via the /proc/sys/net/ipv4/ip_local_port_range file. While one probably could use NAT rules to force an outgoing connection to use a particular source port, it would not make sense to do so because that would lead to problems when two hosts on the internal network would try to connect to the same outside service, since the port tuple for both connections would be identical, which means that they would be mapped to the same connection. I'm guessing that on the system that establishes an outgoing connection, i.e. a SNOM phone, one can chose to use a fixed source port programmatically by setting a port number in the sockaddr_in structure that's passed to the connect() syscall. I'm presuming you'd get a EADDRNOTAVAIL error when that port is already in use. You can probably look this up in Stevens' TCP/IP Illustrated. HTH, i.A. Thomas Bätzler -- BRINGE Informationstechnik GmbH Zur Seeplatte 12 D-76228 Karlsruhe Germany Fon: +49 721 94246-0 Fon: +49 171 5438457 Fax: +49 721 94246-66 Web: http://www.bringe.de/ Geschäftsführer: Dipl.-Ing. (FH) Martin Bringe Ust.Id: DE812936645, HRB 108943 Mannheim -----Ursprüngliche Nachricht----- Von: Daniel <tech@xxxxxxxxxx> Gesendet: Mittwoch, 18. August 2021 15:54 An: netfilter@xxxxxxxxxxxxxxx Betreff: NAT - how external source port is selected Hello, how on a NAT firewall server using iptables or nftables, are the external source ports choosen ? I would say range is 1024-65535 but if for instance I use port 5060 for SIP this one can not be used as source port. Is there a table of at time used ports ? Also, SNOM phones are systematically using port 2048 as source port of the WAN ip. Is there a mechanism to allow such behavior ? If you know any good documentation about this (without reading source code ;)) will also be accepted :) Thanks for your great job -- Daniel
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
