Here is my firewall script with port forwarding. I'm not using firewall.user at all.
#!/bin/sh
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t mangle -F
/usr/sbin/iptables -X
/usr/sbin/iptables -t nat -X
/usr/sbin/iptables -t mangle -X
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT --fragment -p ICMP -j DROP
/usr/sbin/iptables -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j DROP
/usr/sbin/iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
/usr/sbin/iptables -A INPUT -p ALL -d 244.0.0.1 -j DROP
/usr/sbin/iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
/usr/sbin/iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p ALL -o lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p ALL -s <lan server ip> -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p ALL -o br0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p ALL -o vlan1 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST SYN,RST -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL SYN,FIN SYN,FIN -j DROP
/usr/sbin/iptables -I FORWARD -i vlan1 -s 10.0.0.0/8 -j DROP
/usr/sbin/iptables -I FORWARD -i vlan1 -s 172.16.0.0/12 -j DROP
/usr/sbin/iptables -I FORWARD -i vlan1 -s 192.168.0.0/16 -j DROP
/usr/sbin/iptables -I FORWARD -i vlan1 -s 127.0.0.0/8 -j DROP
/usr/sbin/iptables -A FORWARD -p tcp -i br0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i vlan1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp -s 0/0 --dport 137 -j DROP
/usr/sbin/iptables -A INPUT -p udp -s 0/0 --dport 138 -j DROP
/usr/sbin/iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
/usr/sbin/iptables -I INPUT -i vlan1 -s 10.0.0.0/8 -j DROP
/usr/sbin/iptables -I INPUT -i vlan1 -s 172.16.0.0/12 -j DROP
/usr/sbin/iptables -I INPUT -i vlan1 -s 192.168.0.0/16 -j DROP
/usr/sbin/iptables -I INPUT -i vlan1 -s 127.0.0.0/8 -j DROP
/usr/sbin/iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 80 -j DNAT --to <web server ip>:80
/usr/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -d <internet ip> -j DNAT --to <web server ip>:80
/usr/sbin/iptables -t nat -A POSTROUTING -s <web server ip> -p tcp --dport 80 -o vlan1 -j SNAT --to <internet ip>:80
/usr/sbin/iptables -t nat -A POSTROUTING -s <web server ip> -p tcp --dport 80 -o br0 -j SNAT --to <internet ip>:80
/usr/sbin/iptables -A FORWARD -i vlan1 -p tcp --dport 80 -d <web server ip> -j ACCEPT
/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE