Thanks to Peter_Robb, I am well on the right path with iptables and Linux.

I'm now wondering if the following is possible:

I have in my left hand a cable modem, on my (small) lap a Linksys ethernet router and an embedded linux server, and in my right a linux workstation client. Ordinarily the cable modem connects to the router which the workstation plugs into, and the world is a happy place.

However I want to insert my linux server between the cable modem and the router for two reasons. First, I want to be able to access via the fixed IP assigned by the ISP from the public internet. If I put the server behind the Linksys router, configuration changes (port forwarding) will be required and this increases the complexity. Secondly, should something break in the linux server (highly unlikely) the user should be able to remove it and plug from the router back to the cable modem without any change in configuration. In short, I want to keep it elegant.

In the end, the server will pass packets from the cable modem side (eth0) to eth1 where they can then be handled by the router and on to the clients.

I also must (obviously) do a bunch of filtering and protecting of the server itself as it will sit exposed. I must design this filtering so that only the server itself will go through them. I otherwise want no filtering between the cable modem and the router.

In this case, what I have is "Double NAT".

(Fortunately in most cases, the embedded linux server I am working with will either connect directly to a cable modem (or adsl modem) on eth0 and then provide a dhcp host to a client machine (or a switch with more than one) on eth1. This configuration, again thanks to Peter, works perfectly.)

In conclusion, rather than replace the existing router (usually a linksys) and therefore remove its firewalling and port forwarding, etc, i think it's better to keep it in the chain.

So here's what it will look like:

[Public Internet]
|
[Cable Modem]
|
[Embedded Linux server]
|
[Ethernet router (linksys)]
|
Various machines


Here's the sticking point:

The Cable Modem's ISP expects the client (in this case the linux server) to make a DHCP request for the ip address. The Linksys router is set up for this already, and I don't want to change anything on the Linksys router. This will allow a site to remove the Linux server and continue in operation should it fail, with no changes. Note that even tho DHCP is used, the same IP is always returned, guaranteed.

One problem:

The ISP looks for the MAC address of the ethernet card to authenticate the connection. If the MAC address is not what is on file with the ISP, there will be no IP granted. Therefore the Linksys router spoofs the IP address (there's a setting for it).

Is there a recommended way to do this when DHCP configures the eth0 interface? I searched and can't find an example of this. Any ideas?

Another problem:

In the current setup (sitting between the cable modem and the client, sans Linksys router) the server does NAT MASQUERADE. Is it legal to keep this in place in the new Double NAT configuration?

Also, it there any practical problem with doing this double natting, other than the possible performance hit?

Thanks for reading and sorry for the very long post.

I'm really excited to see this coming together. It would NEVER be possible without Linux and this great community.

-m-