snat
If you are hiding a network (public or private) behind your Linux box, you'll want to use source nat, or snat. It's called snat because you're going to alter the source address of the packets leaving the firewall to the address of the firewall. From there, connection tracking will return packets to the originating system.
But there's a catch. With snat, you need to know the IP on the public side of the firewall. This will be possible only on systems where you have a static IP or range of IPs. This public IP (or IPs) must be known and specified when the rules are implemented. If you don't have a static IP, you'll have to use masquerading. But if you do, you have some new possibilities.
The first possibility is that you can specify a range of IPs that outgoing packets may appear to come from. Each new internal connection to the outside will grab the next IP, wrapping back to the start when the final IP is reached. Obviously, the firewall will have to have all those IPs assigned to it, but that's very easily done. We'll go through some snat rules later.