Router / Firewall based protection with iptables and rc.firewall.
Place this script in /etc/rc.d/rc.firewall and execute it
from /etc/rc.d/rc.local.  chmod the file to 500.

#!/bin/bash
# IPTABLES Firewall for Linux router / firewall

# Make sure iptables is ready
insmod ip_conntrack_ftp
insmod ip_conntrack_irc
/sbin/service iptables stop
rm /etc/sysconfig/iptables
/sbin/service iptables start

# Binary Location (-v creates verbose output)
IPT="/sbin/iptables -v"

# IPs and Networks
LO="127.0.0.1/32";
ANY="0.0.0.0/0.0.0.0";
LAN="192.168.0.128/26";

# Default Policy
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

# Flush old rules
$IPT -F
$IPT -X

# Log entry and deny connections
# Accepts various log levels and entry prefixes
$IPT -N logging
$IPT -A logging -j LOG --log-level info --log-prefix Firewall:
$IPT -A logging -j DROP

# Manage state connections
$IPT -N instate
$IPT -A instate -m state --state INVALID -j logging
$IPT -A instate -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A instate -j logging

# Manage state connections
$IPT -N dpstate
$IPT -A dpstate -m state --state INVALID -j logging
$IPT -A dpstate -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A dpstate -j logging

# Ident : Be polite but don't allow it
$IPT -A INPUT -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
$IPT -A FORWARD -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable

# Squid : Transparent Proxy redirection
$IPT -A PREROUTING -t nat -p tcp -i eth1 -s $LAN -d $ANY --dport 80 -j REDIRECT --to-ports 3128

# Localhost : Allowed
$IPT -A INPUT -i lo -j ACCEPT

# LAN : Allow all traffic
$IPT -A INPUT -s $LAN -i eth1 -j instate
$IPT -A FORWARD -s $LAN -j instate

# DHCPD : Allow on LAN card
$IPT -A INPUT -i eth1 -p udp -d $ANY --dport 67:68 -j instate

# TFTP
$IPT -A FORWARD -p udp --dport 69 -d 192.168.0.150 -j instate

# DNS : Allow all local queries
$IPT -A INPUT -i eth1 -p udp -s $LAN --dport 53 -j ACCEPT

# SSH : Allowed
$IPT -A INPUT -p tcp --dport 22 -j instate
$IPT -A FORWARD -p tcp --dport 22 -j instate

# Netbios : Drop quietly
$IPT -A INPUT -p udp --dport 135:139 -j DROP
$IPT -A INPUT -p tcp --dport 135:139 -j DROP
$IPT -A FORWARD -p udp --dport 135:139 -j DROP
$IPT -A FORWARD -p tcp --dport 135:139 -j DROP

# Handle everything else
$IPT -A INPUT -j dpstate
$IPT -A FORWARD -j dpstate

# Apply
/sbin/iptables-save -c > /etc/sysconfig/iptables
/sbin/service iptables restart