I've searched through the archives, but don't think this question has been asked before. I'm trying to connect from work to my home computer through Windows XP Remote Desktop. Both my work computer and home computer are natted. From my work, I can only send outgoing packets through tcp ports 80 and 443, so I'm using both port-redirecting and port-forwarding on my home firewall like so: iptables -t nat -A PREROUTING -i ppp0 -p tcp --sport 1024: --dport 443 -j DNAT --to 192.168.0.101:3389 So my setup looks like this: ---------------- ----------------- | work comp | | work firewall | | 10.160.5.22 |-----| (public ip) | | (private ip) | | | ---------------- ----------------- | internet | ----------------- ---------------------- | home comp | | netfilter firewall |-----| 192.168.0.101 | | (public ip) | | (private ip) | ---------------------- ----------------- I drop (and log) by default, and accept related and established connections. This setup works fine. When I use Remote Desktop to connect to my firewall at port 443, I can take over my home desktop. But whenever I do so, my firewall logs fill up. Apparently my home comp is sending back UDP packets TO THE PRIVATE IP of my work computer, which get logged and dropped at my firewall. This doesn't seem to affect the connection, though. An example log entry: Oct 4 11:00:54 uruz kernel: IN=eth0 OUT=ppp0 SRC=192.168.0.101 DST=10.160.5.22 LEN=1052 TOS=0x00 PREC=0x00 TTL=127 ID=60438 PROTO=UDP SPT=3017 DPT=1237 LEN=1032 The source port is always udp/3017, the destination port varies. Apparently Remote Desktop is sending it's original private IP along in the data stream, but I don't understand why everything seems to work fine. Does anyone have any idea how I could handle these packets. I don't like to code in specific exceptions in my ruleset, so simply 'not logging' packets that go to 10.160.5.22 or that have a source port of udp/3017 isn't acceptable. Thank you for your time. Stijn Derudder nopel@gmx.net