Normally getting intranet hosts to reach internet is not that difficult.
It only requires (basically) two steps:
masquerading traffic going out to the internet interface:
Code:
iptables -t nat -A POSTROUTING -o internetinterface -j MASQUERADE
and enabling forwarding:
Code:
sysctl -w net.ipv4.ip_forward=1
That will allow traffic to go through the server from internet to internet (as long as routing is correctly set up in your intranet).
Then comes the mess of filtering. Traffic coming from one network interface and going out of the host will have to traverse the FORWARD chain in the FILTER tables.
For a server that is going to be connected to internet I'd recommend to set a DROP policy for INPUT and FILTER and then start adding rules to allow traffic on those chains.... a very clear example is to allow traffic moving in the loopback interface:
Code:
iptables -P FILTER DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
Then start adding whatever rules you need to suit your needs.
I normally set up all this netfilter crap in a single script (starting by setting the policies, flushing all the rules and create everything from scratch) and call it from rc.local so that it's set up when the host boots up... and if I need to add/edit/remove something I edit the script and call it.
Hope that helps.