I think the firewall stuff can be done on the same machine -- no need
for another box at all. There are several ways to route the packets
from the windows system out a certain interface and you will need to
use iptables heavily along with the ip command to accomplish some of
this.
One way which comes to mind off the top of my head is that you can
use the mangle table of iptables and put a statement in the
PREROUTING chain to mark the packets with 1 and then have a rule in
the policy database to send all such packets out the interface
desired.
In addition the the ip tables unreliable guide from Rusty Russell and
the manpage, the ip command has an example in chapter 4 of its
documentation as to how to work with two interfaces, so this should
work fine.
You can tell samba to only listen on a certain interface, so that
problem should be easily solved.
Hope this helps.
--
John Covici
covici at ccs.covici.com
