We use shorewall on most of our boxes. There configuration is also text based, easy to learn and is more than enough for the normal tasks (routing, masquerading, traffic shaping, NATs, Port Forwarding, Rate Limiting etc)
Consider installing the shorewall package. If the Debian docs there don't make it work out of the box, see Shorewall's Basic Two-Interface Firewall for more information.
Setting up port knocking might be enough security through obscurity to thwart a would be replay attack of a captured password (depending on the complexity of the spyware).
Ok, then have a MPLS line terminated into your two locations, and send traffic into the telecom provider's MPLS cloud. To your network devices it will look like all your boxes are on the same layer 2 network, but in practise their communications will be encapulated into the MPLS network.
The "standard" solution would be to use use a VPN between two routers, and adjust the routing so all LAN-to-LAN traffic crosses the VPN. Make sure to use different subnets on your two sites so you don't have to do full NAT.
As an alternative to openwrt, you could also install shorewall to use as your firewall on the same RPi. It has a simple text based interface. You run a generator program and it generates the iptables files for you. You might also want to think about installing webmin, a web based computer management interface that also has a graphical interface to setup shorewall. Shorewall has protocol inspection and multiple zone capability ( if you use more than one Ethernet interface on your RPi).
I use Shorewall for my firewall at home. It's basically an easier interface to deal with iptables.
Other than that, do the obvious - like block ports that you won't be using, and disable non-needed SSH accounts (see: all, if you don't plan on logging in remotely).
Some good info to start with - not all tips will necessarily apply to your situation.
The simplest way to stop portscans at your network border is to check for people making a bunch of connections really fast. You can do this in shorewall with the rate limit/burst settings.
http://www.shorewall.net/ConnectionRate.html
If a source IP starts going over the limits you set then shorewall will drop the packets.
I was reading http://www.shorewall.net/shorewall_setup_guide.htm#DNS
I haven't studied it in detail, but if BIND can run a nameserver for the LAN that sounds like something need. I realize the example there is for a guy that has his foobar.net domain and wants to get to his router and DMZ's from the outside .
But also look here: http://www.debian-administration.org/articles/343
Edit: Seems like this guy is trying to achieve the same as me; just a working LAN with DNS, and he uses BIND9 to do it. Or am I mistaken?
2) No, I was just thinking of piping the output to a diff
command against a known-good listing.
4) Not that I'm aware of.
Judge for yourself what to make of Shorewall. I think it's great because it will generate a lot of iptables rules based on some simple setup, and then I don't have to remember what each line does. You may also get some mileage from FWBuilder, which is a Qt-based GUI to do about the same thing.
Instead of load balancing at layer 3 you could load balance using Squid, especially if all you are using eth1 and eth2 for is web traffic. You can accomplish this using the cache_peer directive.
http://www.linuxreaders.com/2010/05/24/squid-with-cache-load-balance/
If you want to load balance using iptables I would suggest Shorewall. Makes it a lot less of a headache to mark packets.