3

Port numbers under 1024 are reserved for superuser, so a normal user cannot bind to ports in the range.

And a range of ports that the system will assign random bind requests from can be set in /proc/sys/net/ipv4/ip_local_port_range So I can reserve a range from automatic allocation. But how do I deny access to non-privileged users to a range of ports?

For example I would like to have ports 16000-17000 to be ONLY usable by superuser. Or just increasing the standard 0-1024 to 0-17000 or some arbitrary number I choose. How can I accomplish this?

Joseph Santaniello
  • 306
  • 1
  • 8

1 Answers1

0

In your kernel source find include/net/sock.h

Inside sock.h find: 

#define PROT_SOCK   1024

Anything lower than the number on that line will be a protected port.

If you want a lower bound as well you can probably find where to add that in by looking for where PROT_SOCK gets used and adding an additional check. A quick pass with grep shows that the check is done per protocol, so you'll need to modify the test for ipv4, ipv6, and whatever else you use individually.

It should be relatively easy, but you'll have to maintain it by hand whenever you want to upgrade the kernel.

Perkins
  • 646