I think the rules you have put in place are confusing themselves. First off, when NAT'ing an IP you really want to NAT the interface as well. Try this: iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.101:3389 iptables -t filter -A FORWARD -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT > > eth0: 192.168.178.100 (connected to the router) > > eth1: 192.168.1.100 (connected to my LAN) > > 1. Config the router to forward all TCP 3899 requests to the firewall > > (192.168.178.100) > > On the firewall i put the setting: > > iptables -t nat PREROUTING -p tcp --dport 3389 -j DNAT --to > > 192.168.1.101:3389 > > and (another try) > > iptables -t nat PREROUTING -p tcp --dport 3389 -j DNAT --to > > 192.168.1.101 > > > > 2. Config the outer to forward all TCP requests directly to MS SBS > > (192.168.1.101) > > Firewall: > > iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT > >