I want to setup a special SMTP environment: two different SMTP servers that should be transparently accessed from SMTP clients.
Let's say I have a RFC compliant Postfix running at 192.168.0.1:25 and a RFC ignoring server fooling clients at 192.168.0.1:2525.
Now I want the following. Most connections should be handled by Postfix as it is listening on the correct port. But with different iptables rules I currently REJECT/DROP connections due to RBL listings, abusive behavior or exceeding limits; just to reduce the load on the Postfix server. Now I no longer want to DROP them, but instead forward the connections to port 2525. The second server is to act as a tarpit and then defer/reject the mails.
I can't figure out how to forward connections depending on other iptables rules that are in the INPUT chain. There I use xt_recent and limit filters to dynamically decide between ACCEPT and DROP.
assuming iptables runs on the same machine where both postfix and that other server are running, you need a nat rule with target REDIRECT:
iptables -t nat -A PREROUTING -p tcp -s [address_matching_rbl] --dport 25 -j REDIRECT --to-ports 2525
Also need filtering rule to permit connections to port 2525 in chain INPUT. This rule does not have to match RBL addresses.
Since you already use iptables to DROP connections from blacklisted hosts, you probably already have the list of addresses and have written iptables rules using it. You could use module ipset ( http://ipset.netfilter.org/ ) to make this matching work more efficiently and to be able to reload lists of addresses without reloading whole iptables configuration.