Let's see...
I don't know how your iptables are configured to handle masquerading (internet connection sharing) at the moment but you could try something like this:
# Set default policy for FORWARD to DROP
iptables -P FORWARD DROP
# Masquerade traffic only from 192.168.0.2 and 192.168.0.4
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.2/32 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.4/32 -j MASQUERADE
# Drop traffic that isn't related to your established traffic
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP
That way you should be able to only let explicitly specified machines be able to access the internet.
This is assuming ppp0 is your external interface (inet). Note that the above is no complete iptables script, it won't work like this but you can use it as a starting point. If you need more information about what is happening up there, i suggest reading the manual pages for iptables. In any case I also suggest
this page, it got me started pretty well
.
Good luck!