Felix, Check out iproute 2 which allows you to create and use different routing tables based on the source ip address, incoming interface, tos etc. Many distirbutions already have it, try: "man ip" to see if yours does, or get it from http://developer.osdl.org/dev/iproute2/ For example if: eth0 ip address: 192.168.0.1 eth0 subnet: 192.168.0.0/24 eth1 ip address: 192.168.1.1 eth1 subnet: 192.168.1.0/24 default gateway attached to eth0: 192.168.0.254 other gateway on eth1 subnet: 192.168.1.254 create an alternate routing table with iproute2 for traffic from 192.168.1.0/24 on eth1 ip route add 192.168.0.0/24 dev eth0 table 1 ip route add default via 192.168.1.254 dev eth1 table 1 tell the kernel to use the alternate routing table for packets with source address in 192.168.1.0/24 ip rule add from 192.168.1.0/24 table 1 priority 100 Then you can use iptables to prevent traffic from the network on eth1 going out eth0 iptables -A FORWARD -i eth1 -o eth0 -j DROP or if if the hosts on the eth1 network can talk to the hosts on the eth0 network but can't go passed the gateway for the eth0 network then you could do this iptables -A FORWARD -i eth1 -o eth0 -d ! 192.168.0.0/24 -j DROP Regards, J.T. Moore ----- Original Message ----- From: "Felix" <fmontes@xxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Thursday, August 11, 2005 5:50 PM Subject: Forcing traffic out the same interface on a dual homed server(without using routes) ? Hi all, If i have 2 interfaces on a linux server, say eth0 and eth1, and a) default gateway is eth0 = production b) there is a complex network on eth1 = administration c) i can't have routing entries for the administration network (dont ask why, its an OSI layer 9 problem (the political layer)) Can iptables restrict traffic that came in through eth1/administration to only go out through eth1? I think what i'm trying to do is bypass the routing decision if somehow it was known on which interface the connection initiated. And even if iptables could manage to send the traffic out the same interface, would it just be dropped on the local subnet? how would it be sent to the default gateway on that subnet? Your enlightening comments will be appreciated. Regards, -Felix