It's been some time now so I guess I'll consolidate my findings here, along with notes of my own. I know how it feels when you have to wait on experts for a nugget or two...
I found this site:
https://firewallengineer.wordpress.com/2013/08/12/tiny-core-linux-routing/depicting a similar scenario.
Also, some things you may want to consider upon building such a system, based on my experience via direct-connect (PC>CblModem>Internet):
-DNS monitoring (It's plain text, however they LOVE injecting/intercepting queries)
-Buffer-overflow management
-Memory management (control data/structure corruption)
-Speed and Bandwidth management (because while downloading, you may experience attacks)
-Closing unwanted services/ports (you know this already;-)
I've seen them use DDoS, Pingsweep, telnet-23(favorite) ICMP-unreachable(favorite) and various UDP ports as well. Hardening against these you'll need a means of monitoring incoming traffic of all sorts, CPU powerhouse and ample amounts of RAM, but not too much. Best to use CD-ROM for your final image with a CDROM (not CDRW/DVDRW) drive, accompanied with a service-watchdog when using Core.img.
I also found that 32-bit systems perform well and have more resources at the tap than 64. As of this writing DNS injection is hot again since GLIBCs CVE-2015-0235 oompF.
Mint is a major target right now, seeing they're #1 in the polls so thats where I'm at for now testing with tcpdump, wireshark and others, can be helpful.
I'm just trying to help.