On 05/10/2010 06:20 AM, Kahlil Hodgson wrote: > This gives me a very clean and clear separation between inside my > network and outside, and no one outside my network is going to see my > RFC1918 address space. I weep every time I see someone advocate NAT for security reasons. It's ridiculous. Routing policy is definitely required for a multi-homed system such as Jussi presented, but NAT is totally superfluous. It adds an extra layer of complexity that makes the system more difficult to diagnose and configure, and contributes nothing of value in return. John Pierce's advice was simple and correct. If you don't want to set up ifup-post scripts of your own, you can use shorewall. Shorewall is actually more complex, but you don't have to understand much about the "ip" tool to use it. For shorewall, you'd need the following files: interfaces: inet eth0 - norfc1918,nosmurfs,tcpflags inet eth1 - norfc1918,nosmurfs,tcpflags lan virbr0 - dhcp zones: fw firewall inet ipv4 lan ipv4 policy: $FW all ACCEPT inet inet DROP all inet ACCEPT all all REJECT info providers: isp0 1 1 main eth0 62.236.221.78 track,balance isp1 2 2 main eth1 62.220.237.126 track,balance route_rules: lo - isp0 11000 eth0 - isp0 11000 eth1 - isp1 11000 virbr0 - isp1 11000