Can a server with no public IP interface be a NAT?

nat

Surely you can do another NAT in addition to what your provider does.

ufw is just a netfiter script generator. If it isn't able to do its work, throw it away, it only obscures things.

To do NAT, you only need a single rule in the firewall:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

That's it. This system now will masquerade (NAT) a traffic for any other system, even if traffic subjected to translation comes from eth0. You will need to specify its IP address as a gateway on all other systems.

If you go this route, you also need to manually enable ip forwarding (net.ipv4.ip_forward=1 in /etc/sysctl.conf), disable redirects on all systems (see ..._redirects in /etc/sysctl.conf) and enable rules saving/autoloading (with netfilter-persistent and iptables-persistent packages).

Also, beware of security! If this network also holds machines not under your control, you must filter them in the filter table, FORWARD chain (just permit forward for your machines and disable it for everything else with the policy). Also you can control (filter) access to this NATing machine in the INPUT chain.

Related

Lets encrypt with lighttpd and wordpress
TLS 1.2 with RSA vs ECDSA Ciphers
azure AD connect certicate [closed]
Do the tld name servers cache the authoritative name servers? For how long?
How to access iDRAC from outside network. or through DDNS
MySQL databases vanished on our VPS (DigitalOcean)
Nutanix AMD-V - hardware assisted virtualisation
Access a node from different subnet
Running desktop software as a "service"
How to use the 'Client Authentication Issuers' certificate store on Windows Server 2016
Unexpected IPv6 client address from Azure Application Gateway's health probe
Unable to remote deploy package due to inaccessible ADMIN$ share on target domain Workstation