All of this makes the assumption that you understand pseudocode :)
It also assumes that eth0 is the LAN side of the firewall, and eth1 is the WAN side.

-t nat	# Network address transaltion table ;)  Put this on all commands

-P PREROUTING DROP	# Bastard operator from THE DARKEST OF HELLS

-A PREROUTING -s mynet/24 -i eth0 -j ACCEPT # accept only my lan, and only if comin in eth0.

-A PREROUTING -m state --state ESTABLISHED,RELATED -j ACCEPT
	# Any connection in progress or related (ftp-data, irc dcc) is okay

-A PREROUTING -p tcp --dport 22 -s trustedhost -j ACCEPT
	# Trust incoming ssh from trustedhost

-A POSTROUTING -s localnet/24 -i eth0 -j MASQUERADE 
	# Here's the magic rule.  The rest just protect j00 arse.

-A POSTROUTING -mstate --state ESTABLISHED,RELATED -j ACCEPT
	# Carrying on the rule from the prerouting chain.

The rest would be in the filter (no -t needed).  These basically protect the
host, as compared to blocking unwanted route leeches :)

-P INPUT DROP
	# BOFH! :)
-A INPUT -i eth0 -p tcp -s localnet/24 --dport 22 -j ACCEPT 
	# Trust localnet for ssh.
-A INPUT -i ! eth1 -p udp --dport 53 -j ACCEPT 
	#only if you run a cache DNS on the firewall.  block port 53 from wan
-A FORWARD -mstate --state ESTABLISHED,RELATED -j ACCEPT
	# figure this one out yet?
	# I left it out of the input chain cause you dont need to ftp into
	#  the firewall.
-A FORWARD -s localnet/24 -i eth0 -o eth1 -j ACCEPT
	# This works in tandem with the pre/postrouting above.
	#  you have to forward before you can postroute :)