I came up with a nifty way to do this using VLANs, in my router, but my new router doesn't support VLANs, so I keep thinking I really ought to be able to do this with iptables, but nothing I try seems to work. Here's my old technique: http://home.comcast.net/~tomhorsley/game/isolate.html Now I need to figure out some way to make everything run on the host without any help from the router. Any ideas? Am I going to have to run a 2nd virtual machine just to serve as a "router" for the isolated machine and block all local lan traffic inside the 2nd VM (I'm pretty sure I could get that to work, but it seems like a lot bigger hammer than I ought to need :).