Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 28 subscribers
  • Views 772 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNAT - randomize outgoing source port with iptables

Someone_7272

Hi all,

Semi-newcomer here, as I haven't used Sophos Firewall since XG 17.5.
When it went EOL, I tried out pfSense for a short while before finally deciding to retire our old, but reliable UTM 110/120 appliance.
The UTM 110/120 only has 2GB RAM, so it can't run SFOS 19 anyway, but I'm hopeful that I can maybe re-purpose this for alternative uses.

A couple of weeks ago, I installed SFOS 19.0.1-365 on a new Intel Celeron J1900 based platform.
Everything has been painstakingly manually migrated from our XG17.5/pfSense configuration. Gotta say, SFOS 19 is pretty awesome so far.

Now for the fun stuff. For certain destination ports, I want to randomize the source port during outgoing NAT.
The reason for this is to force a strict NAT on a certain online game. pfSense did this by default.

Why would you want to do this, isn't this counter-productive for online gaming?
In most cases, yes, it would be. But if you recognize the destination ports of said online game, you might understand why.
The other reason is if two devices on the same LAN try to bind the same outgoing target WAN port, this will result in a port collision. The port is allocated on a first-come, first-served basis. Randomizing the source port will avoid this.

There is no UI option in the NAT rules to randomize the source port. So, it has to be done using iptables.
In the advanced shell, I added a new iptables rule:

iptables -t nat -I POSTROUTING -o Port1_ppp -p udp --dport 61455:61458 -j MASQUERADE --random

-o = outbound interface, -p = protocol, --dport = destination ports, --random = randomize source port

Quick overview of our environment:
LAN > Sophos Firewall > PPPoE to ISP FTTC modem

This works as expected, the game reports a strict NAT and other players have difficulty connecting. This is a good thing, as it means we can keep our gameplay within our internal LAN and prevents most of the general public from connecting to us.
But if the firewall is rebooted, or a firmware upgrade is commenced, the change is reverted. I then have to manually enter this again through the advanced shell.

Is it possible to make this change persistent?

Thanks,
Dan

Note: this is a home license, so there is no warranty or support contract to violate.



This thread was automatically locked due to age.
Parents
  • 0

    why don't you use source port to 61455:61458 in your services definition?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I already do have a firewall rule with service 61455-61458. But this alone won’t rewrite the source port number. Hence, the iptables rule is needed to NAT rewrite (randomize) the source port, not the destination port.

    The application topology normally works as:

    Source (LAN) 6672 > NAT MASQ (source port 6672) > remote 61455-61458

    What I’m trying to do:

    Source (LAN) 6672 > NAT MASQ (source port 6672 is replaced with a random port) > remote 61455-61458

Reply
  • 0 in reply to rfcat_vk

    I already do have a firewall rule with service 61455-61458. But this alone won’t rewrite the source port number. Hence, the iptables rule is needed to NAT rewrite (randomize) the source port, not the destination port.

    The application topology normally works as:

    Source (LAN) 6672 > NAT MASQ (source port 6672) > remote 61455-61458

    What I’m trying to do:

    Source (LAN) 6672 > NAT MASQ (source port 6672 is replaced with a random port) > remote 61455-61458

Children
No Data
Unfiltered HTML