> it's not clear what you're trying to do. Sorry Mike, but I think it's quite clear. That's why I made the comment to do it in JNOS, he is doing the decap/encap there. > iptables -A FORWARD -i tun0 -s 44.x.x.x -j DROP He simply wants to block out certain 44 subnets before they reach JNOS (ie, on the linux side). Maiko