Chypmunk,
Are you using NAT ? i.e windozes boxes using your linux box as a gateway for web access + others.
If so supply the internal network range you use + the different interfaces on the liniux box from #ifconfig -a
Then I can give you more info on how to stop spoofing etc etc etc
In the mean time I typed out a small example so you can see what you should be doing.
An example/assumptions of your ip settings for the ipchain rules
Your linux boxes internal ip = 192.168.12.1 "eth0"
Your linux boxes external ISP ip = 65.12.32.122 "eth1"
Your ISP's DNS1 server ip = 65.12.32.12
Your ISP's DNS2 server ip = 65.12.32.13
# try this:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# clear all ipchains settings
ipchains -F
# Deny all access to server secure mode enabled.
ipchains -P input REJECT
ipchains -P output REJECT
ipchains -P forward REJECT
# sets timeout vaules for FIN flags etc..
ipchains -M -S 4800 15 200
# localhost access
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
# allow internal subnet full access only to internal interface
ipchains -A input -i eth0 -s 192.168.12.0/24 -j ACCEPT
ipchains -A output -i eth0 -d 192.168.12.0/24 -j ACCEPT
#stops spoofing to internal ips from epn
ipchains -A input -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j DENY -l
ipchains -A input -i eth0 -s 172.16.0.0/12 -d 0/0 -j DENY -l
ipchains -A input -i eth0 -s 192.168.0.0/16 -d 0/0 -j DENY -l
ipchains -A input -i eth0 -s 127.0.0.0/8 -d 0/0 -j DENY -l
ipchains -A input -i eth0 -s 255.255.255.255 -j DENY -l
ipchains -A input -i eth0 -d 0.0.0.0 -j DENY -l
# turns off udp traceroutes
ipchains -A input -p udp -d 65.12.32.122 -s 0/0 33434:33600 -j DENY -l
# allow DNS1 to go out/in
ipchains -A output -p tcp -s 65.12.32.122 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 65.12.32.12 --sport 53 -d 65.12.32.122 1023:65535 -j ACCEPT
# DNS1 lookup udp out/in
ipchains -A output -p udp -s 65.12.32.122 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp -s 65.12.32.12 --sport 53 -d 65.12.32.122 1023:65535 -j ACCEPT
# allow DNS2 to go out/in
ipchains -A output -p tcp -s 65.12.32.122 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 65.12.32.13 --sport 53 -d 65.12.32.122 1023:65535 -j ACCEPT
# DNS2 lookup udp out/in
ipchains -A output -p udp -s 65.12.32.122 1023:65535 --dport 53 -d 0/0 -j ACCEPT
ipchains -A input -p udp -s 65.12.32.13 --sport 53 -d 65.12.32.122 1023:65535 -j ACCEPT
Web access out/in
# HTTP 80 access
# change speed of packets with TOS setting
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 65.12.32.122 1023:65535 -j ACCEPT
# HTTPS 443 access
ipchains -A output -p tcp -s 0/0 1023:65535 --dport 443 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 443 -d 65.12.32.122 1023:65535 -j ACCEPT
# Stop pinging and other info people should ask for.
ipchains -A output -p icmp -s 0/0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 0 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 3 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 4 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 9 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 11 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 12 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 14 -d 0/0 -j ACCEPT
ipchains -A input -p icmp -s 0/0 --icmp-type 18 -d 0/0 -j ACCEPT
# deny attacks coming in
ipchains -A input -p icmp -s 0/0 --icmp-type 8 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 5 -d 0/0 -j DENY -l
ipchains -A input -p icmp -s 0/0 --icmp-type 10 -d 0/0 -j DENY -l
-----------
This is just a small example. "trust me"
You'll have to set-up mail, shh and any other services that will need to go out.
Also you'll need to enable NAT with the "ipchains -A forward -i eth0 -j MASQ" option if you want any windows system to use it as a gateway.
enjoy,
Raz