Even though you didn't ask for it, another thought in passing: provided
you get this going by whatever means, and depending on how many internal
machines you have, you could do MAC address matching in iptables to make
sure only your nominated machines can get to your proper internal
addresses. In other words, treat your internal network as hostile, not
just your external network. I'm of the opinion it's good practice to do
that anyway, with the growing incidence of staff doing crazy things like
installing unprotected WiFi access points on internal networks. Don't
just SNAT all internal machines out to the net, block everything in both
directions at your firewall and only allow data in *or* *out* that you
specify.