> I have another rule after preouting, postrouting snat (for > the firewall > itself) for that purpose. Packets coming from outside going to inside > machine as from firewall machine. > > May be helps. If you accept ESTABLISHED (and RELATED for simplicity and other functionality) you don't have to ; only a PREROUTING will do the trick. What I mean is this : $ipt -P FORWARD DROP $ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A FORWARD -m state --state NEW -i <if_inet> -o <if_lan> \ -d <ip_rdp_host> -p tcp --dport 3389 -j ACCEPT $ipt -t nat -A PREROUTING -i <if_inet> -p tcp --dport 3389 \ -j DNAT --to <ip_rdp_host> Robby Workman also has a point : does "iptables -nvL" show packetcount for these rules. Maybe the packets never reach the iptables firewall, or maybe there is some other rule blocking rdp traffic before it can be accepted. Gr, Rob
