diff -ru x/lib/puppet/provider/firewall/iptables.rb y/lib/puppet/provider/firewall/iptables.rb
--- x/lib/puppet/provider/firewall/iptables.rb	2020-04-13 14:18:35.001844743 +0800
+++ y/lib/puppet/provider/firewall/iptables.rb	2020-04-13 14:44:03.565886399 +0800
@@ -54,6 +54,12 @@
     mark_flag = '--set-xmark'
   end
 
+  kernelversion = Facter.value('kernelversion')
+  if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) &&
+     (iptables_version && Puppet::Util::Package.versioncmp(iptables_version, '1.6.2') >= 0)
+    has_feature :random_fully
+  end
+
   @protocol = "IPv4"
 
   @resource_map = {
@@ -94,6 +100,7 @@
     :proto                 => "-p",
     :queue_num             => "--queue-num",
     :queue_bypass          => "--queue-bypass",
+    :random_fully          => "--random-fully",
     :random                => "--random",
     :rdest                 => "--rdest",
     :reap                  => "--reap",
@@ -271,7 +278,7 @@
     :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
     :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode,
     :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass,
-    :clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
+    :clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix,
     :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone
   ]
@@ -399,6 +406,8 @@
         # only replace those -f that are not followed by an l to
         # distinguish between -f and the '-f' inside of --tcp-flags.
         values = values.sub(/\s-f(?!l)(?=.*--comment)/, ' -f true')
+      elsif bool == :random
+        values = values.sub(%r{#{resource_map[bool]}(\s|$)(?!"!")}, "#{resource_map[bool]} true")
       else
         values = values.sub(/#{resource_map[bool]}/, "#{resource_map[bool]} true")
       end
diff -ru x/lib/puppet/type/firewall.rb y/lib/puppet/type/firewall.rb
--- x/lib/puppet/type/firewall.rb	2020-04-13 14:18:35.001844743 +0800
+++ y/lib/puppet/type/firewall.rb	2020-04-13 14:44:03.565886399 +0800
@@ -63,6 +63,7 @@
   feature :string_matching, "String matching features"
   feature :queue_num, "Which NFQUEUE to send packets to"
   feature :queue_bypass, "If nothing is listening on queue_num, allow packets to bypass the queue"
+  feature :random_fully, 'The ability to use --random-fully flag'
 
   # provider specific features
   feature :iptables, "The provider provides iptables features."
@@ -564,6 +565,17 @@
     EOS
   end
 
+  newproperty(:random_fully, required_features: :random_fully) do
+    desc <<-EOS
+      When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
+      this boolean will enable fully randomized port mapping.
+
+      **NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2
+    EOS
+
+    newvalues(:true, :false)
+  end
+
   newproperty(:random, :required_features => :dnat) do
     desc <<-EOS
       When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"