Redirect Port 25 to 3535

Discussion in 'Tomato Firmware' started by swammy, Feb 11, 2014.

  1. swammy

    swammy Reformed Router Member

    I have a hard coded application that will only send SMTP outgoing messages through port 25. My ISP has recently firmly instituted a policy of blocking port 25 for a number of reasons. Can I set up a Tomato based router (Linksys E3000) to redirect all/any outgoing port 25 requests to go out 3535? All my other SMTP apps allow the client configuration to be changed for outgoing SMTP

    I have researched a number iptables commands and have been unable to get any of them to fix the problem.

    Here are some samples I have tried that have not worked. They are correct syntax because I can see in NAT table. I believe they are just not correct.

    iptables -t nat -A OUTPUT -p tcp --dport 25 -j REDIRECT --to-port 3535

    iptables -t nat -A OUTPUT -p tcp --dport 25 -j DNAT --to-destination

    iptables -t nat -A POSTROUTING -p tcp --dport 25 -o eth0 -j SNAT --to-source

    The top options seems like it should do the job.

    Thank you
  2. darkknight93

    darkknight93 Networkin' Nut Member

    I have:

    iptables -t nat -A PREROUTING -p tcp -d --dport 80 -j DNAT --to

    For redirecting Access to to

    for "just" port redirection you can edit the roule using --to-port as in you 1st example
  3. swammy

    swammy Reformed Router Member

    Thank you for the response. I have tried rule number 1 and it did not work.

    The example you provided stays inside the network and never goes outbound.

    Just to clarify, I would like any ip address inside my network that is using Port 25 outbound to be redirected to port 3535 before leaving the network. More specifically, I want all port 25 traffic to be redirected to
  4. TrueBlueBlooded

    TrueBlueBlooded Addicted to LI Member

    This should work:

    iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination
  5. swammy

    swammy Reformed Router Member

    That did it. I should be fine now as long as the IP address remains the same. Do you know if the destination needs to be an ip address or can I use the domain name?
  6. jerrm

    jerrm Network Guru Member

    You can use a hostname in the the rule, but the ip will be resolved at the time the rule is added, not dynamically for each connection attempt. It's good for readability, but doesn't help if they change the IP for the host next week. It also means you have to make sure DNS is working at the time the rule is added.
    koitsu likes this.
  7. darkknight93

    darkknight93 Networkin' Nut Member

    You can use 'wanip' as variable, using this iptables script in wan up scripts would do the trick
  8. RonWessels

    RonWessels Network Guru Member

    If all you want to do is convert port 25 connections to port 3535 connections, your first attempt was close. The problem was that you appended to the OUTPUT chain, which is only used for connections that originate on the router itself. You wanted to append to the PREROUTING chain, which is used for connections incoming to the router from the LAN.
  9. VailComputerGuy

    VailComputerGuy Network Newbie Member

    This thread has been very helpful - thank you!

    I have a similar issue with a device that will only send SMTP messages on 25 or 5000-65535 (a Xerox printer). I have configured the printer to use 50025 for SMTP, so when using this command, it works nicely:

    iptables -t nat -A PREROUTING -p tcp --dport 50025 -j DNAT --to-destination

    (My destination IP is a Network Solutions email server, and they only support ports 587 or 2525.)

    I would like to have it set up so that if the email server IP changes, I don't have to reconfigure the rule. My printer has a static IP (, so i was wondering if I might be a little more specific and just redirect the port, and keep the destination IP that was already resolved. The printer is using for the SMTP server address, so the IP will already be resolved, yes?

    I have no other printers or devices with these requirements, so I am trying to specify that only traffic from the printer is changed.

    I tried this command that I modified from an iptables script generator:

    iptables -t nat -A PREROUTING -p tcp --src --dport 50025 -j DNAT --dport 587

    but that didn't do the trick. Tried this too:

    iptables -t nat -A PREROUTING -p tcp --src --dport 50025 -j REDIRECT --to-port 587

    But no dice. I think I'm close, but I could use a suggestion. Thank you!

    Since I only have one device that is using port 50025, could I just redirect all traffic on 50025 to use 587?
    Last edited: May 16, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice