On 2016.07.15. 2:07, M. Balridge wrote:
I just thought to remind people that with some firewalls, there's always a way
to perform "silent" redirections using the DNAT target in the PREROUTING
table, i.e.,:
-t nat -A PREROUTING -i ${EXTIF} -s ${NOTLSSOURCES} -p tcp --dport 110 \
--syn -j DNAT --to-destination ${DOVECOT}:${NOTLSPOP3PORT}
If you're using a Linux iptables firewall, you wouldn't need to expose the
different port to the client, but would make use of the NAT subsystem to
redirect the connection from certain IP#s->POP3 to the service port where
you've denied TLS.
No client would need to be made aware of the "secret" ${NOTLSPOP3PORT}, and in
fact, the firewall would continue to DROP packets sent to it from elsewhere if
you have a default-deny policy in effect.
=R=
If you're just changing port, better use REDIRECT target.
--
KSb
