On 08/25/2014 05:17 PM, Jochen Bern wrote:
On -10.01.-28163 20:59, Gedalya wrote:
Assuming Red Hat or similar with no conflicting iptables rules (yet), # iptables -t nat -A PREROUTING -p tcp --dport 30xxx -j DNAT --to :143 Since you're redirecting to a port on the same host, the following is
On 08/25/2014 08:26 AM, Jochen Bern wrote: perhaps more correct: iptables -t nat -A PREROUTING -p tcp --dport 30143 -j REDIRECT --to-port 143 The operational word being "perhaps". My approach will break if the server does any forwarding, yours will break if dovecot listens only on a secondary IP address, or at least that's what the manpage I grabbed off a CentOS 6 says: That REDIRECT rule can definitely not be used in that exact form if the machine does forwarding. It will make anyone trying to reach port xxxxx on any destination arrive at this IMAP server, unless you add a condition such as -d 192.168.x.x Indeed, if the machine is also a router and dovecot only listens on a specific IP address then you would have to use DNAT to specify the destination IP address and port. Perhaps the use of the word "correct" was wrong, REDIRECT is just typically used in such cases where the machine is anyway not a router so it's kind of a more readable way to say "redirect this traffic from this machine itself to this machine itself", although REDIRECT is generally intended to be used on a router to force traffic _not_ destined for this machine to go to this machine, e.g. setting up a transparent proxy.
So you can say: iptables -t nat -A PREROUTING -p tcp -d 192.168.1.11 --dport 30143 -j REDIRECT --to-port 143 Or: iptables -t nat -A PREROUTING -p tcp -d 192.168.1.11 --dport 30143 -j DNAT --to-destination xx.xx.xx.xx:143
The latter redirects traffic destined to a specific IP address and port, 192.168.1.11:30143, to a specific IP address and port (presumably on the same host, or not..).
REDIRECT [...] It redirects the packet to the machine itself by changing the ^^^^^^^^^^^^ destination IP to the primary address of the incoming interface ^^^^^^^^^^^^^^^^^^^^^^#######^^^^^^^^ (locally-generated packets are mapped to the 127.0.0.1 address). Regards, J. Bern