I have a "hole" in my firewall to allow myself to use WinXP's remote desktop control through my linux box from work. IPTABLES is setup to DNAT all traffic on port 3389 to my WinXP box. I tried to make sure that this machine has a static IP so that I can put the IP in the IPTABLES script. The problem is that the packets seem to be routed to ipaddress .6 instead of .2.

Iptables command:
iptables -i eth0 -t nat -A PREROUTING -p tcp -s $SSH_ALLOWED_IPS --dport 3389 -j DNAT --to 192.168.0.2:3389

Iptable log error:
Apr 1 08:03:56 linux kernel: IPTABLES ICMP-BAD-TYPE-OUT: IN= OUT=eth0 SRC=12.252.52.87 DST=65.208.52.35 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=38462 PROTO=ICMP TYPE=3 CODE=1 [SRC=65.208.52.35 DST=192.168.0.6 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=29258 DF PROTO=TCP SPT=1948 DPT=3389 WINDOW=64512 RES=0x00 SYN URGP=0 ]

dhcpd.conf
ddns-update-style interim;
default-lease-time 64800;
max-lease-time 64800;

option domain-name-servers 192.168.0.1;
option domain-name "mshome.net";

subnet 192.168.0.0 netmask 255.255.255.0
{
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
server-identifier 192.168.0.5;

host andrew
{
ddns-hostname "andrew";
fixed-address 192.168.0.2;
hardware ethernet 00:....:62;
}

range 192.168.0.3 192.168.0.10;
}


If I change the fixed-address to 192.168.0.6 everything works fine. Anyone know why it may be defaulting to that address?

If 'iptables -t nat -L' doesn't show a duplicate rule pointing to .6, then I haven't a clue.

Ah, thank you. Got me pointed in the right direction. My script was flushing the default table and deleting the chains, but not the nat table, so the commands/settings were just being appended, keeping the original values as the first rules.

I walked into the same trap a while ago.
As it turned out, RH-Lokkit had made up some
simplistic iptables rules for me, which weren't
flushed before I ran my own script.

Only a day later, when I checked with
iptalbes --list did I find out that my whole box
was wide-open because the old rules were
still accepting every packet that made it to the
INPUT chain.

Thank you RH for UnLokking my firewall...