By default, it routes traffic from eth0 out via eth2, unless eth2 is having problems, then it takes eth2 down and routes out eth1. No problems there.
But, I can't seem to reach it on eth1 from outside the server lan. That is, I can't ping or ssh to the machine from the outside world. I can ping and ssh from elsewhere on the server LAN. Rigel, for example, can talk to Vega just fine. But from, say, the office, or my phone, or South Africa, or Dysnomia.. I can't see it. It may as well not exist, /except/ that I don't get the usual "host unreachable" or other such messages.
I'm pretty sure this is an iptables problem. I may be wrong, but it seems likely. It seems to be rejecting packets on eth1 that don't originate on the subnet. I don't know why that would be. I'm hoping one of you might know. Here's the output from iptables-save:
# Generated by iptables-save v1.4.12 on Mon Feb 11 06:58:54 2013 *nat :PREROUTING ACCEPT [34360659:2645293691] :INPUT ACCEPT [3294064:323367623] :OUTPUT ACCEPT [1773515:140591135] :POSTROUTING ACCEPT [97845:6628088] -A PREROUTING -i eth2 -p tcp -m tcp --dport 45678 -j DNAT --to-destination 10.0.1.1:45678 -A POSTROUTING -s 10.0.0.0/8 -j MASQUERADE --random COMMIT # Completed on Mon Feb 11 06:58:54 2013 # Generated by iptables-save v1.4.12 on Mon Feb 11 06:58:54 2013 *filter :INPUT ACCEPT [25525380:4738304270] :FORWARD ACCEPT [3724177469:1533583536244] :OUTPUT ACCEPT [25617730:6004742480] -A INPUT -s 10.0.0.0/8 -i eth0 -p tcp -j ACCEPT -A INPUT -d 188.8.131.52/32 -i eth1 -p tcp -j ACCEPT -A INPUT -d 10.0.0.3/32 -i eth2 -p tcp -j ACCEPT -A INPUT -d 10.0.0.3/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 45678 -j ACCEPT COMMIT # Completed on Mon Feb 11 06:58:54 2013
And route -n:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.1 0.0.0.0 UG 10 0 0 eth2 0.0.0.0 184.108.40.206 0.0.0.0 UG 100 0 0 eth1 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0 10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth2 220.127.116.11 0.0.0.0 255.255.255.240 U 0 0 0 eth1
(I suppose it's worth pointing out that the current cable modem assigns 10. addressing, which conveniently conflicts with my internal addressing. Fortunately, it's just the one address (10.0.0.1), and Vega can always talk to Oort over the server LAN instead.)