I'd suggest reading the init.d script ipmasq installs; last I looked at it it did a few bits of packet filtering that are generally right but might not be exactly what you're looking for...