I'm new at networking, so pardon my ignorance...

  I have the following setup:  cluster A has globally-accessible
IP addresses (128.83.52.x).  cluster B is a private set of
machines on the 10.x.x.x subnet.  I currently have a machine
set up as a gateway, and all A machines know to route to the gateway for
10.x.x.x, and all B machines know how to talk to the gateway
for A machines etc.  (And it works -- ypbind, NFS, ssh, amd!  Yeehaw!)  

  What I want to do is also allow the cluster B machines to
access the rest of the net (via ipnat on the gateway?).

  Note that I don't want to just run nat for everything -- then
a machine in A won't really know who it is talking to --
everything will appear as mount/ssh/etc requests from the gateway.

  I think what I'd like is something like the following bogus ipnat rule:
map <iface> 10.0.0.0/8 dest not 128.83.52.0/24 -> <gateway IP> ...

  From the ipnat man page, it explicitly says all decisions are
based on packet source address, not source + destination
address.

  So is there some nifty way to do what I want?  I'm thinking
one brute-force method would be, add a network card in _another_
cluster A machine on the 10 subnet, call it 10.0.0.2, and have
cluster B route to gateway1 for cluster A, and gateway2 @
10.0.0.2 for everything else, and use IPNAT on this extra
Ethernet card.  But it seems a little crazy to have two
machines functioning as gateways, just to get this working.

  TIA

  Brian