Simple, those machines (A,B) should drop all packets in their INPUT tables as only passing through packets will traverse the FORWARD chain... Unless I misunderstood you but I think that's all you need.. Thanks, ____________________________________________ George Vieira Systems Manager georgev@xxxxxxxxxxxxxxxxxxxxxx Citadel Computer Systems Pty Ltd http://www.citadelcomputer.com.au Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 -----Original Message----- From: kilho Kim [mailto:kilho8667@xxxxxxxxx] Sent: Tuesday, 30 September 2003 2:35 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Help Netfilter+Bridge+Tokenring I have somewhat wiered setup and need some advices. One machine(A) has 3 Ethernet adapters and 1 token ring adapter installed. Three clients will be attached to 3 Ethernet adapter, and the tokenring adapter is connected to the another linux box (B) acting as a router. The box (B) will be connected to the internet. I setup the bridge on box (A). (basically I followed Ethernet-Bridge-Howto). The bridge (br0) includes eth0, eth1, and eth3. Then there is a tokenring interface to box (B). I'm trying to see if I can use iptables to forward any packets incoming from the client machines attached to br0 to tokenring adapter and eventually end up at box (B). Well the other requirement I have is those clients attached to Box (A) shouldn't be able to access the Box (A) and Box (B) other then sending packets through them. I'm a very novice iptables user so if you're kind enough to show me some of the iptables command and configuration strings, it would help me a lot. Thanks much. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com