The network in quesiton looks basically like this:

                     /----Inet1
                    /
H1---[111.0/24]---GW1---[99.0/24]
                                 \----GW2-----Inet2

Device explaination

• H1: Host with IP 192.168.111.47
• GW1: Linux box with IPs 192.168.111.1 and 192.168.99.2, as well as its own route to the internet.
• GW2: Generic wireless router with IP 192.168.99.1 and its own route to the internet.
• Inet1 & Inet2: Two possible routes to the internet

In short: H has more than one possible route to the internet.

H is supposed to only access the internet via GW2 when that link is up, so GW1 has some policy based routing special just for H1:

ip rule add from 192.168.111.47 table 991
ip route add default via 192.168.99.1 table 991

While this works as long as GW2 has a direct link to the internet, the problem occurs when that link is down. What then happens is that GW2 forwards the packet back to GW1, which again forwards back to GW2, creating an endless loop of TCP-pingpong. The preferred result would be that the packet was just dropped.

Is there something that can be done with iptables on GW1 to prevent this? Basically, an iptables-friendly version of "If packet comes from GW2, but originated from H1, drop it"

• Note1: It is preferable not to change anything on GW2.
• Note2: H1 needs to be able to talk to both GW1 and GW2, and vice versa, but only GW2 should lead to the internet

TLDR; H1 should only be allowed internet access via GW2, but still needs to be able to talk to both GW1 and GW2.

EDIT: The interfaces for GW1 are br0.105 for the '99' network, and br0.111 for the '111' network. The sollution may or may not be obnoxiously simple, but i have not been able to produce the proper iptables syntax myself, so help would be most appreciated.

PS: This is a follow-up question from this question