Звучит как относительно простой набор правил.
Вот мое предложение. Непроверено, потому что сейчас у меня нет доступной виртуальной машины с двумя интерфейсами.
# Definitions
INTIF=eth1 # Internal interface
EXTIF=eth0 # External interface
SERVERIP=192.168.1.12 # Internal webserver address
# Prepare to wipe the ruleset, so default to allowing everything
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Erase the rulesets
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
# Allow anything on loopback
iptables -i lo -j ACCEPT
# Allow anything in that is the "other half" of an outbound request
iptables -A INPUT -m state --state ESTABLISHED,RELATED
# Allow anything out (from router to INT, router to EXT, or INT to EXT)
iptables -A OUTPUT -j ACCEPT
# Allow port 22 in from INT (inferred from your explanation)
# Strictly, this is only required if you apply additional restrictions
# in the next rule, but I'm going to leave it here anyway
iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT
# Allow everything through from INT
# This allows internal access to the router too. You could add some extra
# rules here that disallow access to both the router's own IP addresses
iptables -A INPUT -i $INTIF -j ACCEPT
# Allow port 80 in from EXT, and forward it on to the internal server
# Allow port 443 in from EXT, and forward it on to the internal server
# Allow port 32400 in from EXT, and forward it on to the internal server
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT --to-destination $SERVERIP
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 443 -j DNAT --to-destination $SERVERIP
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 32400 -j DNAT --to-destination $SERVERIP
# Set the default action to discard all traffic
iptables -P INPUT DENY
iptables -P OUTPUT DENY
# Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward