openSUSE 10.3 is firewall with multiple public IPs, on one external interface…
In protected zone is server with multiple LAN IPs, binded to different instances of Lotus Domino servers (irrelevant), and incoming connections are routed according to destination IP of incoming package to different LAN IPs… (FW_FORWARD_MASQ set with “destination ip” parameter).
I would get something like SNAT instead MASQUERADING for packages that are traveling from internal servers to Internet.
I think that this can be done with some kind of SNAT or Mangle in /etc/sysconfig/scripts/SuSEfirewall2-custom, but some help would be great…
I don’t know that configuring any special NAT/Masquerading at your firewall is likely an appropriate approach, particularly if you’re serving resources (Servers) and not requesting (Clients).
Each of your Servers likely will want to enable their own specific secure communications, providing end to end security (Server to Client) no matter what is in between. If that is your architecture, then your objective for anything in between should be to as transparent as possible.
There can be objectives that go beyond simple “end to end” security, you may want to offload the processing required to enable secure connections (eg use of Proxy Servers), that would be a special case possibly for a different discussion.