Okay, so I'll drop the trousers and show you my whole firewall-config:
(Before you ask: /etc/firewall.user is empty)
---
root @ OpenWrt ~ # cat /etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
option network 'lan'
option input ACCEPT
option output ACCEPT
option forward REJECT
config zone
option name wan
option network 'wan'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
### Customized Rules
# port redirect of remapped ssh port (2201) on wan
# SSH auf localhost
config redirect
option src wan
option src_dport 2201
option dest lan
option dest_port 22
option dest_ip 192.168.1.1
option proto tcp
# diese Regel sollte ueberfluessig sein
config rule
option src wan
option src_dport 2201
option target ACCEPT
# port redirect of remapped ssh port (2222) on wan
# SSH auf p3-roemer2201-laptop
config redirect
option src wan
option src_dport 2222
option dest lan
option dest_port 22
option dest_ip 192.168.1.201
option proto tcp
# port redirect of remapped ssh port (22) on wan
# SSH auf Homeserver
config redirect
option src wan
option src_dport 22
option dest lan
option dest_port 22
option dest_ip 192.168.1.200
option proto tcp
# port redirect of remapped web port (80) on wan
# HTTP auf Homeserver
config redirect
option src wan
option src_dport 80
option dest lan
option dest_port 80
option dest_ip 192.168.1.200
option proto tcp
# OpenVPN auf Bastelnetzwerk
config redirect
option src wan
option src_dport 1194
option dest lan
option dest_port 1194
option dest_ip 192.168.1.201
option proto udp
config rule
option src wan
option src_dport 53
option proto udp
option target DROP
### EXAMPLE CONFIG SECTIONS
# left out due to commented out
...
---