> Try rearranging the arguments to the following. > > /sbin/iptables -A CUSTOMOUTPUT -o $RED_DEV -s 172.21.6.0/24 -j DROP That was the key, but the rules have no effect. The subnet can access anyting on the net. I had to change from 172.21.6.0 to 172.21.2.0. I added the following: /sbin/iptables -A CUSTOMOUTPUT -o eth1 -s 172.21.2.0/24 -d X.X.X.X -j ACCEPT /sbin/iptables -A CUSTOMOUTPUT -o eth1 -s 172.21.2.0/24 -j DROP iptables -L shows the following: Chain CUSTOMOUTPUT (1 references) target prot opt source destination ACCEPT all -- 172.21.2.0/24 x.x.x.x DROP all -- 172.21.2.0/24 anywhere -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.