Does this work? adding DROP to iptables on the virtual host's iptables, before the phys bridge....will it prevent those ips from getting to the bridged part of iptables? Or would a different syntax be used? -A INPUT -s 66.77.65.128/26 -j DROP -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT