I like the ip_conntrack_whatever things that are protocol-aware and
rewrite the addresses and ports in the protocol based on NAT.

However, my ISP assigns me a static RFC1918 address for my gateway's
external interface, and a normal globally-routable address for the rest
of the world to use. They must do some sort of static NAT thing
themselves.

Of course, this means that as things get NAT'd at my end, protocols get
rewritten with the wrong address in them, they get the RFC1918 address,
which nobody's going to be able to reach me at.

One solution would be to have two machines at my end doing NAT - include
the protocol-aware stuff for one with my 'public' IP address on the
external interface, then hide that behind a not-protocol-rewriting one
that rewrites things back to the RFC1918 address.

Is there a way I can do it with iptables on just one machine?

Mark