I'd suggest reading the init.d script ipmasq installs; last I looked at it it did a few bits of packet filtering that are generally right but might not be exactly what you're looking for...
- Potato, DHCP and IPMASQ Matthew H. Ray
- RE: Potato, DHCP and IPMASQ Brooks R. Robinson
- Mark W. Eichin
