> ^^^^^^^^^ this is a very bad example > It's understandable example; so, it's enough. > Why MAC and not IP addresses? > IP addresses are very easy to change. The idea is only a two concrete boxes with a concrete ubication can surfer the web freely. > Yes, but ORing the two, all clients should have gone to the local http > service. > > The best thing, in this case, is to use chains: > > iptables -t nat -N twoboxen > iptables -t nat -N others > > iptables -t nat -A PREROUTING --mac-source aaaaaaaaaa -j twoboxen > iptables -t nat -A PREROUTING --mac-source bbbbbbbbbb -j twoboxen > iptables -t nat -A PREROUTING -j others > > iptables -t nat -A twoboxen -j ACCEPT > iptables -t nat -A others -p tcp --dport 80 -j REDIRECT I think this is a "large" solution. Two iptables code lines should be enough. I've modified the lines: iptables -t nat -A OUTOUT -p tcp -i eth1 -m mac --mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80 iptables -t nat -A PREROUTING -p tcp -i eth1 -m mac --mac-source ! xx:xx:xx:xx:xx:xx --dport 80 -j DNAT --to-destination 192.168.1.1:80 Of course, thank you for your help and comments Luciano. ;)