I've managed to do this on my ebox by editing /usr/share/perl5/EBox/Firewall/IptablesRedirectRule.pm
Below is my modified version of the sub. I wasn't sure where I could get the public IP from, so I hardcoded it in. Basically, I added the POSTROUTING rule and I also removed the interface flag from the other lines as that was limiting everything to the external interface. Hopefully this can be useful for someone that can implement this properly.
sub strings
{
my ($self) = @_;
my @rules;
my $state = $self->state();
my $modulesConf = $self->modulesConf();
my $iface = $self->interface();
# Iptables needs to use the real interface
$iface =~ s/:.*$//;
foreach my $src (@{$self->{'source'}}) {
foreach my $origDst (@{$self->{'destination'}}) {
my ($dst, $toDst, $addr) = @{$self->{'destinationNAT'}};
foreach my $service (@{$self->{'service'}}) {
my ($natSvc, $filterSvc) = @{$service};
my $natRule = "-t nat -A PREROUTING $modulesConf " .
" $src $natSvc $origDst -j DNAT $toDst";
my $filterRule = "-A fredirects $state $modulesConf " .
" $src $filterSvc $dst -j ACCEPT";
my $postRule = "-t nat -A POSTROUTING " .
" -s 192.168.0.0/16 $filterSvc $dst -j MASQUERADE";
push (@rules, $natRule, $filterRule, $postRule);
}
}
}
return \@rules;
}