Routing based on conntrack NEW interface

[Larry Young]

Sirs,

I have a multi-homed router/firewall running Redhat 7.1.
For interior services I am making available to the exterior
via DNAT forwarding, I would like to route reply packets 
outbound to a gateway corresponding to the interface where
the connection originally came in from. 

I was hoping I could do this via the marking facility, but
it seems to me from the docs that the mark is not stored
for the connection and applies only to the current packet.

The reason I need to do this is that my firewall has connections
to multiple exterior networks, each over a separate ethernet
interface. One of the connections is provided by an ISP and
is externally NATed by the ISP. For the NATed connection, 
I have to make sure that I route my replies back through 
the same ISP so that the NAT will be reversed on the way out.

I can't simply route by the source address, since the source can 
be any public internet address and such addresses can come in
from other interfaces as well (which are not NATed).

The reason for this bit of insanity is that I have limited IP
addresses on my main connection, and I am using additional IP
addresses from a second ISP that can only provide NATed 
private network addresses, not public addresses.

I have been solving the problem by attaching a separate gateway
computer to the NATing ISP, and using a proxy (redir-2.2) in
between. I would prefer not to do that, since it hides the 
source addresses from the interior servers.

Is there a way to do this? It seems like policy-based routing
is exactly what I want, but I need to be able to apply a policy
based on the connection tracking.


Thanks,

Larry Young