I dont have a sample but let me write it down and test at my end for you.. Please check this post in few minutes.
Edit:
Well, i tested something out as an experiment and it seems to work alright. Give this a try:
iptables -I INPUT -i br1 -p tcp —dport 80 -m state —state NEW -m recent —set
iptables -I INPUT -i br1 -p tcp —dport 443 -m state —state NEW -m recent —set
iptables -I INPUT -i br1 -p tcp —dport 80 -m state —state NEW -m recent —update —seconds 1 —hitcount 5 -j QUEUE
iptables -I INPUT -i br1 -p tcp —dport 443 -m state —state NEW -m recent —update —seconds 1 —hitcount 5 -j QUEUE
Read about the QUEUE target here : http://www.linuxtopia.org/Linux_Firewall_iptables/x4501.html . You can change the update and hitcount to fine tune / limit connections on the guest network interface.
Now if you want to block all service ports except browsing then you can do:
iptables -A INPUT -i br1 -m state —state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i br1 -p icmp -j ACCEPT
iptables -A INPUT -i br1 -j ACCEPT
iptables -A INPUT -i br1 -m udp -p udp —sport 53
iptables -A INPUT -i br1 -j DROP
iptables -A OUTPUT -i br1 -m state —state NEW -m tcp -p tcp —dport 80 -j ACCEPT
iptables -A OUTPUT -i br1 -m state —state NEW -m tcp -p tcp —dport 443 -j ACCEPT
iptables -A OUTPUT -i br1 -p icmp -j ACCEPT
iptables -A OUTPUT -i br1 -m udp -p udp —dport 53
iptables -A OUTPUT -i br1 -j REJECT —reject-with icmp-host-prohibited
You see port 53 for DNS as nothing will work without DNS lookups. I hope this helps. Please revert back with results.
Have a great day!