LinuxQuestions.org - firewall

Hello, can anyone help me with a firewall ? i`m newbie with this things, so i dont know very well...

Ok, here is my setup. I have 5 IP addresses.

70.147.94.242 to 70.147.94.246

70.147.94.241 is my gateway to the world.

Elvis has 3 network cards in him. The first is connected to the
Internet. It will have to carry all 5 of my IP addresses. The
second card is connected to a private network. The private network
is in the 192.168.2.x range. The second card has a fixed address of
192.168.2.1. The third network card is to be used as an extremely
limited network. It can't talk to anything but the Internet. It CAN
NOT talk to the subnet on the 2nd card. The third network card is in
the 192.168.3.x range with the third NIC having a fixed IP of
192.168.2.3.

The public IP addresses have the following services...

70.147.94.242
(A) Accepts NO incoming connections. It should be a tarpit to
anything that tries to connect to it.
(B) This is my NAT address. The subnet on 192.168.2.x (second NIC)
will use this address for all outgoing traffic.

70.147.94.243
(A) Accepts HTTP and HTTPS - may support WebDav for selected addresses
(B) Accepts POP3 and SMTP
(C) Accepts FTP (from selected address only - port knocking perhaps)
(D) Accepts Squid

70.147.94.244
Should be a tar pit

70.147.94.245
Should be a tar pit

70.147.94.246
(A) Accepts SSH
(B) Accept IRC ports (4400, 6667, and 6668)

192.168.2.1
(A) SSH
(B) DNS (caching only)
(C) DHCP
(D) FTP
(E) HTTP
(F) HTTPS
(G) WebDav
(H) NAT for the entire subnet - 70.147.94.242 is what the subnet
should use for its outgoing address
(I) Squid - transparent proxy although authentication is possible

192.168.2.3
(A) DNS (caching only)
(B) DHCP

Of course if anyone attempts to brute force any of the services
(connects more than X times per second) I want their address to be
blocked and any connection states that currently have to be dropped.

I think that about covers it.