It will probably be easier to add a second network card to create a separate subnet for the stuff you don't want visible then route out via the server. Attempting this on iptables would be messy even if it's possible (which I doubt) The tunnel endpoint then sees the original lan but not the new one