I am having a couple of iptables issues with this type of setup myself. The RH manual says to insert a rule into the FORWARD chain like this: -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT However, for the host does this not mean that every packet is accepted. As far as I can discern from the documentation, when one sets up a physically bridged network on a kvm host then every packet arrives across the bridge interface and, insofar as the host is concerned, anything that it does not orginate itself is forwarded. I may be wrong on this, but the behaviour of my ssh filters since putting that command in the FORWARD chain indicates that something along those lines is occurring. The i/f eth0 seems to have no relevence to iptables rules for the host instance. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3