Well, everything depends on what you need. Let's assume the gaway give access to the internet to the LAN.
eth0 is linked to the lan and eth1 in linked to the internet.
so let's turn FORWARD policy to DROP.
Code:
iptables -P FORWARD DROP
Now, let's decide which services the clients need.
Code:
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT #enable www requests out
Code:
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -j ACCEPT #enable ftp requests out
Now, here's the problem. The answer will be dropped. So, avoiding everything to be forwarded, you can use this rule.
Code:
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT #any connection started from the lan, can get their answer
Quick explaination :
ESTABLISHED means if you started the connection you'll get the answer.
RELATED if a connection needs other ports, these are RELATED; example: passive ftp.
You should then do the same with the OUTPUT.
Using these rules you can avoid traffic generated by applications you don't know (windows spyware, many worms etc).
Adding some LOG rules checking most vulnerable ports you can also detect the presence of possible worms in your lan.
Another interesting thing is, using this technique you can reduce the risks of buggy programs in the clients.
If you need more, let us know