Hi Grant,
here's my 2¢:
there is no need to patch the kernel.
what you should do is PBR and little arp hacking:
let's say your eth0 is 10.0.0.1/24
what i'd do is to put eth1 and eth2 in different subnets:
eth1 -> 10.0.1.1/24
eth2 -> 10.0.2.1/24
default routes:
ip ro add default via 10.0.1.254 table 252 # from eth1 to eth2
ip ro add default via <gateway on eth3 side> table default # from eth3
to outside
PBR rules:
ip rule del prio 32766 # we need to put rules between lookup to main and default
ip rule add prio 100 lookup main # rule 32766 becomes 100
ip rule add 200 lookup 252 iif eth0 # alternative default route for local LAN
arp override:
arp -s 10.0.1.254 <ETH addr of eth2>
disable antispoof on eth{1,2} (may be not needed if you do NAT)
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter
there is one thing to look after: the dhcp client will put its default
route in table main(252) and you should move it from here to table
default(253)
This setup should work with or without NAT
one last thing:
if you happen to snat packets from local LAN(received by eth0) to
10.0.1.1(address of eth1) then IIRC you *will* need to patch the
kernel as incoming packets with source address that the linux box
considers as its own are dropped.
Hope this works(did not test this exact setup) and helps
Best regards
Michel
