Have you considered using a bridging firewall?
Check out : http://www.tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO.html
http://sourceforge.net/projects/ebtables
I don't like a bridging firewall too much; I dislike applying patches to the kernel, first of all. Moreover the ethernet bridge seems to me "not polite".
I know that a proxy arp alter the standard behaviour of an ip network, but I prefer it.
Thanks. Radel
