# We'll call the LAN card in the Linux box eth1, and the internet connection eth0. 
# Those ofcourse may be different in your machine. 
# Use ifconfig -a to determine. 
# Also, we assume that your LAN is in 192.168.0.0/255.255.255.0 subnet

====================================================================================
# First we enable forwarding in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

# 2 commands will clear all the tables of all the rules.
1. iptables -F
2. iptables -t nat -F

# This tells iptables to accept all traffic coming from all devices accept eth0 (internet).
# This rule is added as the first rule in the INPUT chain.
# Notice that this rule doesn't actually deny traffic from eth0.
3. iptables -I INPUT -i ! eth0 -j ACCEPT

# This is the line for the stateful firewall.
# It means that it will only accept connections from nodes that you already connected to.
4. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Those 2 lines aren't actually necessary. We reject unwanted connection-attempts here instead
of dropping them by the default INPUT policy. This so others won't know you have a firewall.
5. iptables -A INPUT -p tcp -i eth0 -j REJECT --reject-with tcp-reset
6. iptables -A INPUT -p udp -i eth0 -j REJECT --reject-with icmp-port

Now we add the rules for NAT:
7. iptables -I FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j DROP
8. iptables -A FORWARD -i eth1 -s 192.168.0.0/255.255.0.0 -j ACCEPT
9. iptables -A FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j ACCEPT

# IP-Masquerading means NAT
10. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

We set the policies for the chains:
11. iptables -P INPUT DROP
# We want to drop any packets that don't match our rules don't we?
12. iptables -P FORWARD DROP
# Same here..
13. iptables -P OUTPUT ACCEPT
# We usually allow everything out and only block specific things we don't want.

=================================================================================
Optional things you can do:

To see the current rules you have you can use the -L argument:
iptables -L (this shows everything in the filter table)
iptables -t nat -L (shows everything in the nat table)
iptables -L -v / iptables -t nat -L -v (-v=verbose which shows more info)
you can also view a certain chain only:
iptables -L INPUT -v

If you wish to drop all ICMP coming from the internet: (which is considered another security measure)
iptables -I INPUT -p icmp -i eth0 -j DROP
However, accepting echo-requests and echo-replies (ping) shouldn't be a problem to us and we can permit it. 
If you have added the line to block all ICMP then you should add the following lines upper than that rule 
in the INPUT chain:
iptables -I INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT
iptables -I INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT

If you have blocked all ICMP and didn't add the rules to allow echo, you won't be able to ping directly from your Linux box, but you shouldn't have any problem pinging from behind the NAT.

To allow SSH from the internet side:
iptables -I INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

For example: let's say you are running a WWW server on a computer which its IP is 192.168.0.5, 
so the rule in the NAT would be:
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.5

iptraf is nice to have, get it!