iptables(8) -A FORWARD -m conntrack --ctstate NEW -i eth1 -s -j ACCEPT
administration tool for IPv4 packet filtering and NAT
-A, --append chain rule-specification
       Append one or more rules to the end of the selected chain.  When  the  source  and/or  destination
       names  resolve  to  more  than  one  address,  a  rule  will  be  added  for each possible address
[!] --ctstate statelist
       statelist is a comma separated list of the connection states to match.  Possible states are listed
[!] -i, --in-interface name
       Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD
       and PREROUTING chains).  When the "!" argument is used before the interface  name,  the  sense  is
       inverted.   If  the  interface  name ends in a "+", then any interface which begins with this name
       will match.  If this option is omitted, any interface name will match.
[!] -s, --source address[/mask][,...]
       Source specification. Address can be either a network name, a hostname, a network IP address (with
       /mask),  or a plain IP address. Hostnames will be resolved once only, before the rule is submitted
       to the kernel.  Please note that specifying any name to be resolved with a remote  query  such  as
       DNS is a really bad idea.  The mask can be either a network mask or a plain number, specifying the
       number of 1's at the left side of the  network  mask.   Thus,  a  mask  of  24  is  equivalent  to   A "!" argument before the address specification inverts the sense of the address.
       The flag --src is an alias for this option.  Multiple addresses can be specified,  but  this  will
       expand  to  multiple rules (when adding with -A), or will cause multiple rules to be deleted (with
-j, --jump target
       This  specifies the target of the rule; i.e., what to do if the packet matches it.  The target can
       be a user-defined chain (other than the one this rule is in), one of the special  builtin  targets
       which  decide the fate of the packet immediately, or an extension (see EXTENSIONS below).  If this
       option is omitted in a rule (and -g is not used), then matching the rule will have  no  effect  on
       the packet's fate, but the counters on the rule will be incremented.
source manpages: iptables