The route of the packets can be summarized quite easily:
The rulesets used always depend on the source of the packets.
Rules that modify packets are always performed first. This includes NAT, port forwarding, static NAT and transparent proxy. All following rules will only see the already modified packets.
The connections of the Intra2net system itself cannot be restricted.