Something that no one ever mentions as a response to this kind of question is the "ipmasq" package. The default kernel comes with support for masquerading and ipchains, but disabled. By turning those features on through the /proc file system, you'll be able to do what you want to do without a kernel recompile. The kernel will be bloated with features you don't need but it'll work.
The ipmasq package automatically works for ppp configurations, though I've never tried it with a setup with only ethernet NICs. My assumption would be that it will think eth0 is your private network, and eth1 is a public network. It automatically sets up rules to prevent attacks like outsiders claiming to be on your private network and other spoofing scenarios, and is designed to go up and down with your network connection, which is ideal for people with dynamically assigned IP addresses. Modem, cable modem, ISDN and DSL users come to mind. It's kind of hard to figure out from looking at the scripts under /etc/ipmasq/rules, but with enough looking, you can take advantage of the varibles to create ipchains that work with changing IPs. I've done it at home, and am pretty happy with the results. The same setup works for both my dsl and modem connections (just in case dsl dies and I need to use the analog modem). Is there a reason people shy away from this, besides the lack of good documentation?
