Is it necessary to do IP MASQUERADE in this case?
I work in a medical clinic; our institution is connected to the telematic network of the Ministry of Public Health of my country. All internet browsing is done through a proxy server and in our clinic I have installed a non-transparent child proxy with the aim of limiting access to harmful or other content not in accordance with the internet access policy established by the telematic network. I have implemented our firewall through iptables and so far I have only needed to open certain ports to access services external to my institution but within the network of the Ministry of Public Health. My question is: if in the configuration of my iptables, it is necessary in addition to forwarding to the external ports, I must enable IP MASQUERADE, in short, the modem has a private address as WAN IP within the great network of the Ministry, and my local network is also with private IP.
Solution 1:
You don't need to NAT from private IP to private IP, you can just do routing and filtering.
Although, if the ministry don't need to access your network (just the clinic can access the ministry) AND you have routing issues, you could enable SNAT via masquerade to solve this fast, without the need for the ministry to add route to your network.