That's funny. We *just* went over this in a thread with the subject "not firewall, but what?". I even posted an example shorewall configuration that does what you're trying to do. You should either use shorewall, or if you're more familiar with Linux's "ip" command, set up the route-eth1 and route-eth2 and the rules-eth1 and rules-eth2 configuration files.