as i know it is possible to pass your NAT box and reach the local network.
make it very hard to pass your NAT box (nothing is impossible). :
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth_local -s local_net/subnet -j ACCEPT
so only ESTABLISHED RELATED packets will be allowed for both direction. all of packets will be allowed if they comes from intranet and goes to internet.
dont forget, someone still can find a way to hack your box. maybe iptables wont let them but maybe hacker finds a security hole in iptables or other services. who knows
at least u wont be hacked by kids