I have my rules defined in such a way that a script can process then after each change, so they get added to the beginning of the user rule chain forwarding_lan_rule. And, I reckon, this is the tricky part, making sure they are before the conntrack rules.
This is my script, you can place it in /etc/firewall.user:
# Process any new rule from fw3 front-end that is tagged to $RULE_TABLE
#
RULE_ORIG="zone_lan_forward"
RULE_TABLE="forwarding_lan_rule"
RULE_MARK="##$RULE_TABLE##"
# Add any marked rule in the rule origin to our user rule table
for ipt in ip ip6; do
${ipt}tables-save -c -t filter | while IFS= read -r line; do
if [ -z "${line##*$RULE_MARK*}" ]; then
printf "%s\n" "$line" | sed -e "s/$RULE_MARK//g;s/$RULE_ORIG/$RULE_TABLE/g"
else
printf "%s\n" "$line"
fi
done | ${ipt}tables-restore -c -T filter
done
To let it work properly I tag my rules description with ##forwarding_lan_rule## so they get processed by /etc/firewall.user, see an example: