The FORWARD chain certainly does operate on packets whose destination ISNT the firewall itself.
As far as automatically knowing which packets to let through, this is handled by rules.
If your default POLICY is DROP, then you need to make rules to allow packets to pass through.
And vice versa, if your default POLICY is ACCEPT, you need rules to decide what to DROP or REJECT.
Usually, you can trust the outward traffic from the LAN, however, after doing a lot of work stopping irc, Kazaa and similar services from going out, you may decide a DROP POLICY is better and then specifically allow services.
I personally find it easier to use an ACCEPT policy and then limit the traffic with proxies and rules rather than a straight DROP POLICY.
Netfilter can do all the filtering by word content etc if you use the Patchomatic, but it's an extremely large ruleset.
This is the beauty of the state matching machine. It avoids having to make returning packet rules.
The -o LAN -m state --state ESTABLISHED,RELATED -j ACCEPT handles it all.
Try this tutorial
http://www.netfilter.org/documentati...ials/blueflux/
Regards,
Peter