So, my original go-to guy for this sort of thing has, if I understand correctly, been stapled to his desk at work for the past 126 hours or so, and has taken to eating junior sysadmins to stay alive. So, I figured I'd open the question up to everybody, and whoever can set me up wins.

I've got two network connections: Speakeasy T1 line and Comcast cable. I've got a pile of servers, and an internal network.

All the servers have static external IPs on the T1 line (
The comcast line connects to a single computer, using DHCP.
The internal network is mixed statics and DHCP (10.0/8).

I need to intersect all three of these things in a single machine. That machine is hylonome. Hylonome is the radius and dhcp server for the internal network. It now has three network adapters. One is statically set for the internal network ( One is statically set for the T1 network ( One will, once we get this all sorted out, be dynamically set for the comcast network.

Sadly, the last time I set up a linux box for NAT, clinton was in office. I think they've changed things a bit since then.

What I need is for somebody with modern linux routing configuration to write me the config files I need to get hylonome to properly NAT for me:
* traffic from internal (10.0/8) to servers (216.etc) should go out the speakeasy connection
* traffic from internal to anything NOT of the servers should go out the comcast connection.
* nothing should pass between the external connections.
* it should be reasonably easy to open up forwarding ports on either of the external connections to internal hosts (bittorrent, slingbox, etc)
* if it can be made to play nice with upnp stuff on the internal net, that would be keen too.

edit: I neglected to mention: this is on Ubuntu Jaunty.

edit: Further details that may be useful:

At present everything is on the same physical layer. I'll be separating them soon, but moving the T1 router was required before that could happen. I'll be partitioning the switch into internal and external blocks as soon as I get the cables reorganized.

The T1 router has a built in hub, and is .97 on the speakeasy IP set. All external-ip'd devices list use as their gateway. But, for the NAT, I do not want anything routed from internal thru it, except in the case of ports forwarded in from the speakeasy ip.

At present, hladolet's external connection is plugged directly into the cable modem's output. hladolet's internal connection plugs into the big purple switch.

When I swap out hylonome (the one we're talking about configuring here) to replace hladolet, the speakeasy connection will go into the purple switch with the externals, the internal connection will go to the internal set on the switch, and the comcast connection will go directly to the cable modem.
