If you need NAT, you have to do that on the external interface, and it requires (implies, even) creating states.
However, you can filter statelessly on the internal interface (the states won't match there (wrong direction, if-bound), dropping outgoing TCP RST, passing everything else. Sounds similar to what was done to ignore the great firewall of China, see http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf :) HTH, Daniel
