* NAT - how external source port is selected
@ 2021-08-18 13:53 Daniel
2021-08-18 14:22 ` Reindl Harald
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Daniel @ 2021-08-18 13:53 UTC (permalink / raw)
To: netfilter
Hello,
how on a NAT firewall server using iptables or nftables, are the
external source ports choosen ? I would say range is 1024-65535 but if
for instance I use port 5060 for SIP this one can not be used as source
port. Is there a table of at time used ports ?
Also, SNOM phones are systematically using port 2048 as source port of
the WAN ip. Is there a mechanism to allow such behavior ?
If you know any good documentation about this (without reading source
code ;)) will also be accepted :)
Thanks for your great job
--
Daniel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: NAT - how external source port is selected
2021-08-18 13:53 NAT - how external source port is selected Daniel
@ 2021-08-18 14:22 ` Reindl Harald
2021-08-18 14:50 ` Daniel
2021-08-18 14:46 ` Florian Westphal
2021-08-18 14:52 ` AW: " Thomas Bätzler
2 siblings, 1 reply; 8+ messages in thread
From: Reindl Harald @ 2021-08-18 14:22 UTC (permalink / raw)
To: Daniel, netfilter
Am 18.08.21 um 15:53 schrieb Daniel:
> how on a NAT firewall server using iptables or nftables, are the
> external source ports choosen?
NAT don't chose any ports at all
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: NAT - how external source port is selected
2021-08-18 13:53 NAT - how external source port is selected Daniel
2021-08-18 14:22 ` Reindl Harald
@ 2021-08-18 14:46 ` Florian Westphal
2021-08-18 15:12 ` Daniel
2021-08-18 14:52 ` AW: " Thomas Bätzler
2 siblings, 1 reply; 8+ messages in thread
From: Florian Westphal @ 2021-08-18 14:46 UTC (permalink / raw)
To: Daniel; +Cc: netfilter
Daniel <tech@tootai.net> wrote:
> how on a NAT firewall server using iptables or nftables, are the external
> source ports choosen ? I would say range is 1024-65535 but if for instance I
> use port 5060 for SIP this one can not be used as source port. Is there a
> table of at time used ports ?
Are you talking about SNAT/MASQUERADE?
It will try to use whatever port is used. If the source address
replacement results in a collision, it tries to pick a different source
port between 1024 and 65535.
> Also, SNOM phones are systematically using port 2048 as source port of the
> WAN ip. Is there a mechanism to allow such behavior ?
What do you mean? The initiator is free to pick whatever source port they like.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: NAT - how external source port is selected
2021-08-18 14:22 ` Reindl Harald
@ 2021-08-18 14:50 ` Daniel
2021-08-18 15:15 ` Reindl Harald
0 siblings, 1 reply; 8+ messages in thread
From: Daniel @ 2021-08-18 14:50 UTC (permalink / raw)
To: Reindl Harald, netfilter
How is the magic done then ?
Le 18/08/2021 à 16:22, Reindl Harald a écrit :
>
>
> Am 18.08.21 um 15:53 schrieb Daniel:
>> how on a NAT firewall server using iptables or nftables, are the
>> external source ports choosen?
> NAT don't chose any ports at all
--
Daniel Huhardeaux
+33.368460088@tootai.net sip:820@sip.tootai.net
+41.445532125@swiss-itech.ch tootaiNET
^ permalink raw reply [flat|nested] 8+ messages in thread
* AW: NAT - how external source port is selected
2021-08-18 13:53 NAT - how external source port is selected Daniel
2021-08-18 14:22 ` Reindl Harald
2021-08-18 14:46 ` Florian Westphal
@ 2021-08-18 14:52 ` Thomas Bätzler
2 siblings, 0 replies; 8+ messages in thread
From: Thomas Bätzler @ 2021-08-18 14:52 UTC (permalink / raw)
To: netfilter; +Cc: Daniel
[-- Attachment #1: Type: text/plain, Size: 2026 bytes --]
Hi Daniel,
the port number for outgoing NATted connections is chosen from the emphemeral port number range, which can be read and configured via the /proc/sys/net/ipv4/ip_local_port_range file.
While one probably could use NAT rules to force an outgoing connection to use a particular source port, it would not make sense to do so because that would lead to problems when two hosts on the internal network would try to connect to the same outside service, since the port tuple for both connections would be identical, which means that they would be mapped to the same connection.
I'm guessing that on the system that establishes an outgoing connection, i.e. a SNOM phone, one can chose to use a fixed source port programmatically by setting a port number in the sockaddr_in structure that's passed to the connect() syscall. I'm presuming you'd get a EADDRNOTAVAIL error when that port is already in use. You can probably look this up in Stevens' TCP/IP Illustrated.
HTH,
i.A. Thomas Bätzler
--
BRINGE Informationstechnik GmbH
Zur Seeplatte 12
D-76228 Karlsruhe
Germany
Fon: +49 721 94246-0
Fon: +49 171 5438457
Fax: +49 721 94246-66
Web: http://www.bringe.de/
Geschäftsführer: Dipl.-Ing. (FH) Martin Bringe
Ust.Id: DE812936645, HRB 108943 Mannheim
-----Ursprüngliche Nachricht-----
Von: Daniel <tech@tootai.net>
Gesendet: Mittwoch, 18. August 2021 15:54
An: netfilter@vger.kernel.org
Betreff: NAT - how external source port is selected
Hello,
how on a NAT firewall server using iptables or nftables, are the external source ports choosen ? I would say range is 1024-65535 but if for instance I use port 5060 for SIP this one can not be used as source port. Is there a table of at time used ports ?
Also, SNOM phones are systematically using port 2048 as source port of the WAN ip. Is there a mechanism to allow such behavior ?
If you know any good documentation about this (without reading source code ;)) will also be accepted :)
Thanks for your great job
--
Daniel
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5050 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: NAT - how external source port is selected
2021-08-18 14:46 ` Florian Westphal
@ 2021-08-18 15:12 ` Daniel
[not found] ` <20210818161622.GS607@breakpoint.cc>
0 siblings, 1 reply; 8+ messages in thread
From: Daniel @ 2021-08-18 15:12 UTC (permalink / raw)
Cc: netfilter
Le 18/08/2021 à 16:46, Florian Westphal a écrit :
> Daniel <tech@tootai.net> wrote:
>> how on a NAT firewall server using iptables or nftables, are the external
>> source ports choosen ? I would say range is 1024-65535 but if for instance I
>> use port 5060 for SIP this one can not be used as source port. Is there a
>> table of at time used ports ?
> Are you talking about SNAT/MASQUERADE?
Yes
> It will try to use whatever port is used. If the source address
> replacement results in a collision, it tries to pick a different source
> port between 1024 and 65535.
OK
>> Also, SNOM phones are systematically using port 2048 as source port of the
>> WAN ip. Is there a mechanism to allow such behavior ?
> What do you mean? The initiator is free to pick whatever source port they like.
Well, how he will know that the port is free ?
--
Daniel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: NAT - how external source port is selected
2021-08-18 14:50 ` Daniel
@ 2021-08-18 15:15 ` Reindl Harald
0 siblings, 0 replies; 8+ messages in thread
From: Reindl Harald @ 2021-08-18 15:15 UTC (permalink / raw)
To: Daniel, netfilter
Am 18.08.21 um 16:50 schrieb Daniel:
> How is the magic done then ?
which magic?
a tuple is "src-ip:src-port dst-ip:dst-port" and as long there is no
collision it's 1:1, if there is a collison a random port is used -
that's what conntrack is for
you don't need to care on a nat router
> Le 18/08/2021 à 16:22, Reindl Harald a écrit :
>>
>>
>> Am 18.08.21 um 15:53 schrieb Daniel:
>>> how on a NAT firewall server using iptables or nftables, are the
>>> external source ports choosen?
>> NAT don't chose any ports at all
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: NAT - how external source port is selected
[not found] ` <20210818161622.GS607@breakpoint.cc>
@ 2021-08-18 16:43 ` Daniel
0 siblings, 0 replies; 8+ messages in thread
From: Daniel @ 2021-08-18 16:43 UTC (permalink / raw)
Cc: netfilter
Le 18/08/2021 à 18:16, Florian Westphal a écrit :
> Daniel <tech@tootai.net> wrote:
>>>> Also, SNOM phones are systematically using port 2048 as source port of the
>>>> WAN ip. Is there a mechanism to allow such behavior ?
>>> What do you mean? The initiator is free to pick whatever source port they like.
>> Well, how he will know that the port is free ?
> bind() fails for listener socket, connect() fails for outgoing (if
> everything is full).
>
> On conntrack machine, connection tracking table gets queried after SNAT
> to see if the new tuple is still unique.
Thanks to all for the explanation.
--
Daniel
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-08-18 16:43 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-18 13:53 NAT - how external source port is selected Daniel
2021-08-18 14:22 ` Reindl Harald
2021-08-18 14:50 ` Daniel
2021-08-18 15:15 ` Reindl Harald
2021-08-18 14:46 ` Florian Westphal
2021-08-18 15:12 ` Daniel
[not found] ` <20210818161622.GS607@breakpoint.cc>
2021-08-18 16:43 ` Daniel
2021-08-18 14:52 ` AW: " Thomas Bätzler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.