The NAT box has been told to route packets from the 172.20.1.0 and 172.20.2.0 networks. I am currently testing the routing using two network cards to save on call costs. (The NAT box has eth0, the new box has eth1 attached to the NAT box, and eth0 connected to the new 172.20.2.0 network. I have my OSX laptop connected to the 172.20.2.0 network side and have a ssh session to the new box)

I can Ping the internet and the NAT box from the new box.

If I add a route from the NAT box to the new box, I can ping it back from the NAT box. (I have used "route add -net 172.20.2.0 netmask 255.255.255.0 dev eth0")

I can't ping the NAT box or the internet from anything else on the 172.20.2.0 network from the 172.20.1.0 network)
I can't ping anything else on the 172.20.2.0 from the NAT box (or 172.20.1.1 network)

The new box is showing the default route as (default Gateway 172.20.1.1 Genmask 0.0.0.0 flags UG IFace eth1)

Any ideas? Am I on the right track?