Da ya probowal takoe sdelat, u menya wrode poluchilos
Ya ispolzowal GeoIP, wse eto delalos na Debian 4.0r1
dumayu komantarii izlishni. Tut ispozowano prozrachniy nat na Squid(na toy ze mashine)
eth0 - local
eth1, eth2 - internet ISP (raznie)
esli chto pishite na vardan(at)eif(dot)am

bridgenet:/etc/iptables# cat 2ISProuting.sh
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#Задание правил маршрутизации IP по источнику для DSL
ip rule add from 192.168.1.40 lookup 200
ip route add 10.0.0.0/24 via 10.0.0.1 table 200
ip route add 0/0 via 192.168.1.1 table 200
#Задание правил маршрутизации IP по источнику для кабельного модема
ip rule add from 192.168.2.242 lookup 201
ip route add 10.0.0.0/24 via 10.0.0.1 table 201
ip route add 0/0 via 192.168.2.241 table 201
# Prawila dlya routa armyanskix setey
ip rule add fwmark 2 table armout
ip route add default via 192.168.2.241 dev eth2 table armout
# Prawila dlya routa russkix setey
ip rule add fwmark 3 table ruout
ip route add default via 192.168.2.241 dev eth2 table ruout
ip ro add default equalize nexthop via 192.168.1.1 dev eth1 weight 1 nexthop via 192.168.2.241 dev eth2 weight 1
ip ro flush cache
================================================================================

bridgenet:/etc/network# cat interfaces

auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 10.0.0.1
        netmask 255.255.255.0
        pre-up echo "Eth0 pre-up"
        pre-up iptables-restore < /etc/iptables.up.rules
        post-up echo "Eth0 post-up"

auto eth1
iface eth1 inet static
        address 192.168.1.40
        netmask 255.255.255.0
         post-up echo "Eth1 UP"
         post-down echo "Down Eth1"

auto eth2
iface eth2 inet static
        address 192.168.2.242
        netmask 255.255.255.252
        post-up echo "Eth2 UP"
        post-up /etc/iptables/2ISProuting.sh
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
==========================================================================
bridgenet:/etc# cat iptables.up.rules
# Generated by iptables-save v1.3.6 on Tue Aug 21 14:24:36 2007
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#-A POSTROUTING -m comment -m geoip -s 10.0.0.0/24 -o eth2 -j SNAT --to-source 192.168.2.242 --comment "GeoIP Armenia" --dst-cc AM
-A PREROUTING -p tcp -m comment -m tcp -i eth0 --dport 80 -j REDIRECT --comment "Prozrachniy rezim redir 80 to 3128"  --to-port 3128
-A POSTROUTING -m comment -m state -s 10.0.0.0/255.255.255.0 --state NEW,RELATED,ESTABLISHED -j MASQUERADE --comment "All another"
COMMIT
# Completed on Tue Aug 21 14:24:36 2007
# Generated by iptables-save v1.3.6 on Tue Aug 21 14:24:36 2007
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp -s 10.0.0.0/255.255.255.0 -d 10.0.0.1 --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp -d 10.0.0.1 --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport -d 10.0.0.1 --dports 80,8080,3128
-A INPUT -m state -s 10.0.0.0/255.255.255.0 --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

COMMIT
# Completed on Tue Aug 21 14:24:36 2007
# Generated by iptables-save v1.3.6 on Tue Aug 21 14:24:36 2007
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# -A POSTROUTING -p tcp -m comment -m tcp -m geoip -s 10.0.0.0/24 -j MARK --comment "GeoIP Armenia"  --set-mark 2 --dst-cc AM -A POSTROUTING -p tcp -m comment -m tcp -m geoip -j MARK --comment "GeoIP Armenia" --set-mark 2 --dst-cc AM
-A PREROUTING -p tcp -m comment -m tcp -m geoip -j MARK --comment "GeoIP AM set-mark 2 dst-cc AM" --set-mark 2 --dst-cc AM
-A POSTROUTING -p tcp -m comment -m tcp -m geoip -j MARK --comment "GeoIP RU set-mark 3 dst-cc RU" --set-mark 3 --dst-cc RU
COMMIT
# Completed on Tue Aug 21 14:24:36 2007
================================================================================