Knowledge Base Home

Call Support

Search the Knowledge Base

Skip to end of metadata
Go to start of metadata

Using iptables to open ports 25 and 26
Last Modified: 10/9/2009 11:02:12 AM


Messaging Architects M+Guardian 2008.1+
Linux distributions


My server needs to listen on ports 25 and 26.
How do I redirect traffic coming through on port 26 to 25?


Iptables is essentially a packet filtering service that should exist on most distributions of Linux. It allows you to choose which packets you accept, which ones you drop, and if you want to re-route any traffic to another port/ip address. This article will cover accepting and re-routing packets for SMTP purposes.

To start things off, this is a picture of what a blank iptables chain list looks like:

We will also use the nat table. A blank list of the table looks like this:

A few key things to note, are the PREROUTING and POSTROUTING tables in the nat table. So now we will run the following command, which, if executed right, won't give any prompt but will go to the next line. The script we will want to enter is:

iptables -A INPUT -p tcp --dport  26 -j ACCEPT

This specifies that we are going to accept any packets coming in on port 26. We have to accept the packet before we can redirect it. This is what it looks like after it's executed and what the table will look like after it's in there:

Next, we're going to make sure that we can send packets through port 26, in case the server needs any communication back through port 26. To do that, we'll execute the line:

iptables -A OUTPUT  -p tcp --sport 26 -j ACCEPT

The big difference here, is that we're changing from a destination port (dport) to a source port (sport). Again, this will look like the following:

Finally, we'll add in our redirect, which can be specified with the following line:

iptables -t nat -A PREROUTING  -p tcp --dport 26 -j REDIRECT --to-port 25

Now we have to specify the table that we are going to use, which is where the -t nat switch comes into play. Then we're specifying the chain we're adding to, PREROUTING, and that we're going to be redirecting anything inbound to port 26, to port 25. This will look like the following after it has been run and is in the chain:

Now, you should be able to telnet into the server on port 26 and get the same banner that you would receive on port 25.

If this does not work then verify there is only one entry for the redirect:

iptables -t nat  -L

To remove the redirect tables:

iptables  -t nat -F

To add the script back in you can type:

iptables -A INPUT -p tcp --dport 26 -j ACCEPT &&  iptables -A PREROUTING  -t nat -p tcp --dport 26 -j REDIRECT --to-port 25  && iptables-save >  /root/iptables && echo "iptables-restore  /root/iptables" >   /etc/sysconfig/network/if-up.d/iptables


All of the longer dashes in the document are all double dashes. (e.g., --dport, as opposed to -p tcp)

Former KB Article: 1283

Help us improve!
Is this article helpful?
Is it well written?
Is the content complete?
  • No labels