Linux – Force program to use only specific local port

linuxnetworkingport

For example: Firefox uses random local port numbers to connect to websites. (Dozens of different local ports can be used at any given time.) Is it possible to force a program to only use specific local ports ? (Force only the local port, the target port could be any.)

Best Answer

I don't know of any way to do this short of modifying the source code, and even then, Firefox may be calling closed netcode on Windows (ie, it might be using Visual C++ libraries).

I'm confused why you'd want to do this. Most firewalls have different rules for outgoing and incoming connections, and limiting outgoing ports is quite unusual as they're listening only for traffic from a specific TCP session. Destination ports are much more security sensitive as they are open and listening with no established sessions.

Related Solutions

How to force Outlook 2003 / Exchange 2003 to use static RPC ports

Before you go off and do this, you might want to consider using RPC over HTTP (aka "Outlook Anywhere"). This gateways the MSRPC protocol over HTTP (or HTTPS) and might make life easier for you re: forwarding this traffic thru the firewall.

Here's the server-side instructins for statically assigning ports: http://support.microsoft.com/kb/270836

You would be making this change only on the Exchange Server computer(s) that the Outlook clients would be talking to. The change will require a "bounce" of the Exchange services but should not require a reboot of Windows.

Have a look at this article re: RPC over HTTP: http://support.microsoft.com/kb/833401

You'll like RPC of HTTP better, I think, and it's more "supported".

Linux – Using IPTables to forward port for incoming eth1(local) to outgoing ppp0 (vpn) to specific ip address

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 10.10.1.0/24 \
  --dport 12345 -j DNAT --to-destination 123.123.123.123:12345

Locally generated traffic will never pass through the PREROUTING chain. You can verify this by adding a rule like this:

iptables -t nat -A PREROUTING -j log -m limit --limit 1/s

If you're not familiar with iptables, the above rule means:

Log (at a maximum rate of 1 message/second) any packets traversing the PREROUTING chain.

Watch your log files while you make outbound connections, and you'll see that nothing is passing through this chain. The PREROUTING chain only comes into play for traffic coming into your system from an outside source.

You might think you could do this in the OUTPUT chain:

iptables -t nat -A OUTPUT ... -j DNAT ...

But by the time a packet hits the OUTPUT chain the routing decision has already been made. You can probably get you want by using a REDIRECT rule in the OUTPUT chain and then running a tcp proxy on a local port that redirects connections to your destination. That is, you can add a rule like this:

iptables -t nat -A OUTPUT -p tcp -d 10.10.1.0/24 --dport 12345 \
  -j REDIRECT --to-ports 12345

And then run a tcp proxy locally on port 12345.

Best Answer

Related Solutions

How to force Outlook 2003 / Exchange 2003 to use static RPC ports

Linux – Using IPTables to forward port for incoming eth1(local) to outgoing ppp0 (vpn) to specific ip address

Related Topic