Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 02-02-2008, 11:50 AM   #1
LQ Newbie
Registered: Apr 2006
Posts: 2

Rep: Reputation: 0
IMAP and SMTP port redirect

Hi everyone,

I have serious problem, I have this network

LAN ( ) ---> Linux server (debian, eth0, eth1 -,, gw, dns <--NAT on router--> router (> internet

In LAN, PCs are not routed through gateway, because of security, I use squid for HTTP proxy.
Now, I need configure Linux server to REDIRECT 143 port and 25 to wan.

I would like to set LAN-PCs email clients imap server as:, when email client would like to download mail, he asked and will send packets to (everyone use same imap).
For smtp is the same case.

Please, advice me, how to set iptables chains on linux machine.

Thank you very much.

Last edited by Pistik_ke; 02-02-2008 at 12:02 PM. Reason: network topology edit
Old 02-03-2008, 12:43 AM   #2
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
A brief search of this forum will get you several posts that describe port-forwarding setup that will do what you want, though they might not actually mention your particular port numbers.

Even though your Linux server is connected between two Private Internets, the scheme is pretty simple:
1. When SMTP or IMAP packets arrive from the 10.0.0.x network, you need to tell the Linux machine to send them onto the 192.168.1.x subnet, even though that machine does not normally allow traffic between those two networks. To do this, you need port-forwarding specified in iptables, thus:
 #iptables -t nat -A PREROUTING -p tcp -d  --dport 25 -j DNAT --to-destination
 #iptables -t nat -A PREROUTING -p tcp -d  --dport 143 -j DNAT --to-destination
This tells the boundary machine what to do with this traffic. Then, if your other rules prevent forwarding between the two sides of this boundary machine (the normal case), you need to permit these packets to be forwarded:
 #iptables -A FORWARD -p tcp -m multiport --dports 25,143 -j ACCEPT
Finally, you may need to turn IP forwarding on the boundary machine. I am not sure exactly how you make that permanent on a Debian machine, but I am certain that Google will tell you: you need to set a kernel flag thus:
 # echo 1 > /proc/sys/net/ipv4/ip_forward
If this value is 0, no forwarding will occur, regardless of how many rules you put into the iptables FORWARD chain.

Old 02-03-2008, 04:56 AM   #3
LQ Newbie
Registered: Apr 2006
Posts: 2

Original Poster
Rep: Reputation: 0
Thank you very much, but I did not be sure that prerouting and port forwarding were vice choice.

I will try this solution ASAP.

About debian ip_forward
Old 02-03-2008, 01:16 PM   #4
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
I must apologize for providing only a partial recommendation for your problem; it was late at night when I wrote my previous post, and I have thought about your problem some more. My initial recommendation will not make your SMTP and IMAP connections work, because it enables the communication path in one direction. But a complete TCP connection requires bi-directional communication. Unfortunately, the outbound port-forwarding I recommended in my last post takes packets from many sources (on the 10.x.x.x network) and makes them all appear on the 192.168.1.x side to have come from a single address. As a result, when a return packet arrives at the boundary machine between these two networks, it cannot properly forward the reply to the correct originator.

Happily, there is a better solution, if the connections all originate on the 10.x.x.x network. (I guess that this must be the situation, since you have two distinct Private Networks, and a shared connection to the public Internet only from the 192.168.1.x side.) The solution is to use the masquerade facility of iptables, which is designed to keep track of the many-to-one mapping that occurs on the boundary machine. Using this facility, the originating packet (from a 10.x.x.x address) is transformed into one that appears to originate on the boundary machine, and is forwarded onto the 192.168.1.x network. In the process, the boundary machine records information about the outbound packet, so that when a reply arrives (addressed to that reply packet can be re-edited so that it can travel onward over the 10.x.x.x network to its correct destination.

The rules to make this happen are
 # iptables -t nat -A POSTROUTING -o eth1 -s --sport  25 -j SNAT --to-source
 # iptables -t nat -A POSTROUTING -o eth1 -s --sport 143 -j SNAT --to-source
In this situation, you do not need to make any special entry in the FORWARD chain; the SNAT processing bypasses that set of rules. But you do still need to make sure that the kernel setting of /proc/sys/net/ipv4/ip_forward is correct.

Good luck.


imap, smtp

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
redirect SMTP from main IP to secondary izghitu Linux - Networking 7 08-08-2007 10:04 PM
debian iptables squid - redirect port 80 to port 8080 on another machine nickleus Linux - Networking 1 08-17-2006 12:59 AM
Redirect SMTP Requests ALInux Linux - Networking 2 08-03-2006 07:41 AM
Outside FTP Port 21 redirect to different port inside LAN??? hendrixx Linux - Security 5 06-05-2004 06:42 PM
Change / Redirect SMTP Port Kernel_Sanders Red Hat 0 11-13-2003 08:42 AM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 12:51 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration