Hallo Martin, also für Terminalserver hinter HW-Router + SuSEfirewall klappt bei mir folgendes im SuSEfirewall2-custom: fw_custom_before_denyall() { # could also be named "after_forwardmasq()" # these are the rules to be loaded after IP forwarding and masquerading # but before the logging and deny all section is set by SuSEfirewall2. # You can use this hook to prevent the logging of annoying packets. #example: prevent logging of talk requests from anywhere #for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do # iptables -A $chain -j DENY -p udp --dport 517:518 #done # Start von MS # Windows Terminalserver iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT --to 192.168.2.3:3389 # iptables -t nat -I POSTROUTING -p tcp --dport 3389 -j SNAT --to 192.168.2.8:3389 iptables -t nat -I POSTROUTING -p tcp --dport 3389 -j MASQUERADE iptables -I INPUT -p tcp --dport 3389 -j ACCEPT iptables -I OUTPUT -p tcp --dport 3389 -j ACCEPT iptables -I FORWARD -p tcp --dport 3389 -j ACCEPT # Ende von MS true } Vielleicht Hilfts ja. 192.168.2.3 ist der TerminalServer, 192.168.2.8 dat Interface der Firewall ins locale Netz. Max