Question one:
I have been confusing with "output", "input" and "forward"...
I am a green hand in Ros, and I have referred few references, but still can not make clear about the concept of "output","input" and "forward"...
In my view that "input" and "output" means that the communication which within the confine of the Lan, the traffic flow could not go out beyond the gateway and do not involved with Public IP; As to "forward", means one computer which is outside a Lan desires to corresponds with a workstation which within the Lan, the packets must go through the gateway. Am I right?

Question Two:
There is a question worrying me,why so many "established connections" in my "Firewall-Filter-connection" like below picture?
The situation is,every time when I launched a P2P software and after few minutes then I closed it.But the large amount of connections which the P2P software established would not be closed,it remain to exist. I have tried to reduce the value of "TCP established timeout",but when the "timeout" run over ,the connections would close,but it seems could automaticlly establish another connection again.So please look at the left-bottom of the picture, "309 items" maintain "established connections" after I closed the P2P software an hour.I just have one work-station in the Lan(it hard to imagine how many "established connection" would exist if few more stations... ),the "items" sometimes amount to thousands,the most horrible is that,these thousands "established connections" would last forever,it wouldn't end itself unless I reboot the router.Had I done something wrong in some where? Can someone that generously give me a succor? Thanks

Question Three:
And one thing I don't understand,the communication is between "Dst.Address" "116.23.73.80"(my ADSL Ip address) and outside Internet,not involved with my computer's address-192.168.2.2 at all.Is this so call "forward"?

One: 'input' contains all traffic that is destined directly for the router. 'output' contains all traffic generated by the router itself'. 'forward' contains all traffic that isn't from the router directly, or to the router directly, but traffic flowing through the router between the networks it connects to one another.

Two: The connections in your screen shot are established TCP connections flowing through your router. There doesn't seem to be anything wrong with them at all. What is 116.23.73.32? It looks like a web server that clients from all over the place are talking to.

Three: don't understand the question, sorry.

What exact meaning of mine is how to cut off these vast useless "established connection"？
Because at the moment I token the upper picture,I only have one computer in this Lan(means no other computers which belong this Lan are communicating with the outside internet), and I have closed all the application in this workstation(even pulled out the network wire),in other words, there should be none traffic flow between the Lan and outside Internet.
These "established connection" seems were established when I used P2P software,but these "established connection" can't be closed consequently when I closed the P2P software,my router still communicated with outside Internet covertly,without my instruction.
And this situation is taking place of one computer in the Lan ever used P2P software,if hundreds of computer in the Lan ever used P2P software, the great quantity of the "established connection" should be unimaginable......and these large number of "established connection" will be consuming the sources of my router continuously,block down the router eventually. Thanks.

Set up firewall to drop incoming tcp/80 connections to your router.
Set in firewall connection limit.