I have a different perspective than
xnomad; I like to know what is actually happening in the iptables ruleset, and I find
shorewall to be an irritant. Therefore, I recommend the following amendment to your NAT rule:
Code:
iptables -t nat POSTROUTING -o eth0 -s 172.16.31.0/255.255.255.0 -j SNAT --to-source {your eth0 address}
This rule will accomplish the NAT only for your private network address block, and will forward stuff from eth2 (which has IP addresses outside the specified block) unmolested.
Parenthetically, the MASQUERADE target is really only intended for use on Internet connection links that are subject to changeable IP addresses (like dial-up lines). The distinction between MASQUERADE and SNAT is that connections are remembered when a link goes down under SNAT, but are forgotten under MASQUERADE. So if you have a DHCP link that goes down a lot, use MASQUERADE; if the IP of eth0 is constant, use SNAT.