I have a routing task here where I need some help.

All systems are running with SuSE 10.2 or 10.3.

All netmasks are

-System A has the IP and (this should be the router
between the two networks)
-Gateway for Network A is which makes the Internet connection
-System B has the IP and it is my VPN Server
-System C has the IP

the above is running as I expect.

But now:
-System D has the IP with Gateway

System D is a remote system which I want to control from outside.
I want to connect System D via VPN and if I'm on System D I want to
have an Internet connection too.
But I don't want to be able to connect System D with System C (or other
systems in
Network A except System A and System B)

And all this should happened without static routes on System D,
just default routes and default Gateway.

Is this possible and if yes how?
What should I have to change or install on System A?
IP forward is enabled on System A.