In some advanced system administration and security scenarios, you might want to restrict a specific program (or a user) to only use a specific range of source ports when making outbound connections. This can be important for:
- Securing network access per service
- Enforcing port-based identity
- Making firewall rules easier to manage
- Avoiding source port collisions in NAT environments
This article explains how to achieve this using iptables, cgroups, and kernel-level ephemeral port controls, with practical, copy-paste-ready examples.
What meant by "Port Range Restriction"?
When a program connects to an external server (e.g., with curl or a custom app), the kernel assigns a source port — typically from a dynamic range like 32768–60999. If you want to limit a specific app or user to only use, say, source ports 50000–51000 for all its outbound connections, you have to implement that at the firewall or kernel level.
Option 1: Using iptables with the owner Module (Per-User Limiting)
This is the most straightforward way if the program runs as a known user or UID.
Example: Allow only source ports 50000–51000 for myuser
# Block all outgoing TCP traffic from 'myuser' outside the port range
# iptables -A OUTPUT -p tcp -m owner –uid-owner myuser ! –sport 50000:51000 -j DROP
# Optional: for UDP
# iptables -A OUTPUT -p udp -m owner –uid-owner myuser ! –sport 50000:51000 -j DROP
Note: This will not stop the application from running — it just ensures the kernel drops packets that don't meet your policy.
Option 2: Using cgroups with net_cls + iptables (Per-Process Control)
For more precise control, especially in multi-user systems or containers, you can use Linux cgroups to classify traffic per process.
Step-by-step:
-
Create a net_cls cgroup:
# mkdir -p /sys/fs/cgroup/net_cls/myapp
# echo 0x100001 | sudo tee /sys/fs/cgroup/net_cls/myapp/net_cls.classid
-
Assign your process to the cgroup:
# Replace <PID> with the actual process ID
# echo <PID> | sudo tee /sys/fs/cgroup/net_cls/myapp/tasks
-
Add iptables rule:
# iptables -A OUTPUT -m cgroup –cgroup 0x100001 -p tcp ! –sport 50000:51000 -j DROP
This gives you fine-grained per-process port restrictions.
Optional: Set Ephemeral Port Range (Globally or Per Namespace)
Linux picks ephemeral ports from a default system-wide range (32768–60999). You can limit this globally (not recommended in shared systems) or within a network namespace.
To view the current range:
# cat /proc/sys/net/ipv4/ip_local_port_range
To change the range:
# echo "50000 51000" | sudo tee /proc/sys/net/ipv4/ip_local_port_range
Warning: This affects all processes. Better used inside isolated environments (e.g., containers or netns).
Run the App with Explicit bind() to Source Port
If you control the source code of the app, the cleanest method is to explicitly bind to the desired source port(s) before making the connection.
Python Example:
import socket
s = socket.socket()
s.bind(('', 50001)) # bind to specific source port
s.connect(('example.com', 443))
Many apps and libraries (like curl, wget, netcat, python requests, etc.) don't expose source port binding — in those cases, control must be done externally.
Logging Violations
To log connection attempts from disallowed source ports:
# iptables -A OUTPUT -p tcp -m owner –uid-owner myuser ! –sport 50000:51000
-j LOG –log-prefix "PORT VIOLATION: " –log-level 4
Containerized or Isolated Environments: Use Namespaces or Docker
For Docker or custom network namespaces, you can:
- Use a private ephemeral port range
- Use iptables inside the namespace
- Isolate the entire network stack for maximum safety
Docker Example:
# docker run -d –name limited_app –net=custom_net -p 50000-51000:50000-51000 myimage
Then configure the app inside the container to bind or use that port range.
Important Limitations
- iptables owner match works only for UIDs, not process names.
- If the app doesn’t bind explicitly, the kernel still picks a port — make sure the global range or netns is set correctly.
- Some apps (e.g. Java, browsers) may use multiple ephemeral ports simultaneously — test carefully.
- Not all programs allow setting source port via command line.
Recommended Best Practices
Let’s say you want to allow only ports 50000–51000 for a service called myapp:
-
Create a dedicated system user:
# sudo useradd -r -s /sbin/nologin myapp
-
Run the program as this user:
# sudo -u myapp /path/to/myapp
-
Set the desired port range system-wide (optional):
# echo "50000 51000" | sudo tee /proc/sys/net/ipv4/ip_local_port_range
-
Add iptables rule:
# iptables -A OUTPUT -p tcp -m owner –uid-owner myapp ! –sport 50000:51000 -j DROP
- (Optional) Add logging:
# iptables -A OUTPUT -p tcp -m owner –uid-owner myapp ! –sport 50000:51000 -j LOG –log-prefix "MYAPP PORT BLOCKED: "
-
Make sure the app binds or connects correctly from that range.
Final Thoughts
Restricting outbound source port ranges per application or user is an underused but powerful technique to lock down systems, especially in:
- High-security environments
- Multi-tenant servers
- NAT/firewall-managed networks
- IDS/IPS-aware setups
You can start with simple iptables rules for users, and later adopt cgroups or container namespaces for deeper isolation.
Force specific source ports for a app like curl
To force specific source ports in general-purpose tools like curl or nc, try using iptables SNAT (with care), or consider writing wrappers/scripts that handle binding via LD_PRELOAD or custom socket logic.
More helpful Articles
Tags: Docker Example, iptables, network stack, ports, program, Python Example, range, setting, source port, specific, use, Warning
