diff --git a/daemon/core/services/security.py b/daemon/core/services/security.py
index 926376f8..38d9d16e 100644
--- a/daemon/core/services/security.py
+++ b/daemon/core/services/security.py
@@ -11,8 +11,8 @@ from core.service import CoreService
 class VPNClient(CoreService):
     name = "VPNClient"
     group = "Security"
-    configs = ('vpnclient.sh',)
-    startup = ('sh vpnclient.sh',)
+    configs = ("vpnclient.sh",)
+    startup = ("sh vpnclient.sh",)
     shutdown = ("killall openvpn",)
     validate = ("pidof openvpn",)
     custom_needed = True
@@ -37,8 +37,8 @@ class VPNClient(CoreService):
 class VPNServer(CoreService):
     name = "VPNServer"
     group = "Security"
-    configs = ('vpnserver.sh',)
-    startup = ('sh vpnserver.sh',)
+    configs = ("vpnserver.sh",)
+    startup = ("sh vpnserver.sh",)
     shutdown = ("killall openvpn",)
     validate = ("pidof openvpn",)
     custom_needed = True
@@ -64,8 +64,8 @@ class VPNServer(CoreService):
 class IPsec(CoreService):
     name = "IPsec"
     group = "Security"
-    configs = ('ipsec.sh',)
-    startup = ('sh ipsec.sh',)
+    configs = ("ipsec.sh",)
+    startup = ("sh ipsec.sh",)
     shutdown = ("killall racoon",)
     custom_needed = True
 
@@ -91,8 +91,8 @@ class IPsec(CoreService):
 class Firewall(CoreService):
     name = "Firewall"
     group = "Security"
-    configs = ('firewall.sh',)
-    startup = ('sh firewall.sh',)
+    configs = ("firewall.sh",)
+    startup = ("sh firewall.sh",)
     custom_needed = True
 
     @classmethod
@@ -110,3 +110,52 @@ class Firewall(CoreService):
             logger.exception("Error opening Firewall configuration template (%s)", fname)
 
         return cfg
+
+
+class Nat(CoreService):
+    """
+    IPv4 source NAT service.
+    """
+    name = "NAT"
+    executables = ("iptables",)
+    group = "Security"
+    configs = ("nat.sh", )
+    startup = ("sh nat.sh",)
+    custom_needed = False
+
+    @classmethod
+    def generateifcnatrule(cls, ifc, line_prefix=""):
+        """
+        Generate a NAT line for one interface.
+        """
+        cfg = line_prefix + "iptables -t nat -A POSTROUTING -o "
+        cfg +=ifc.name + " -j MASQUERADE\n"
+
+        cfg += line_prefix + "iptables -A FORWARD -i " + ifc.name
+        cfg += " -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+
+        cfg += line_prefix + "iptables -A FORWARD -i "
+        cfg += ifc.name + " -j DROP\n"
+        return cfg
+
+    @classmethod
+    def generate_config(cls, node, filename):
+        """
+        NAT out the first interface
+        """
+        cfg = "#!/bin/sh\n"
+        cfg += "# generated by security.py\n"
+        cfg += "# NAT out the first interface by default\n"
+        have_nat = False
+        for ifc in node.netifs():
+            if hasattr(ifc, 'control') and ifc.control == True:
+                continue
+            if have_nat:
+                cfg += cls.generateifcnatrule(ifc, line_prefix="#")
+            else:
+                have_nat = True
+                cfg += "# NAT out the " + ifc.name + " interface\n"
+                cfg += cls.generateifcnatrule(ifc)
+                cfg += "\n"
+        return cfg
+