Well, I think you're including kernel IP stack filtering in with routing. I'm not really all that familiar with the Linux IP stack, and whatever they're calling the NAT/firewall module these days changes it a lot anyway. On most OSes I know of, the kernel doesn't care what interface a packet came in on when it receives it; it either deals with it if it's an IP it has, forwards it if not and forwarding is enabled, and otherwise it drops it. Firewalls change that a lot, and not knowing the ins and outs of the firewall you're using, I can't tell you exactly what. Of course, firewalls also modify the OS's normal routing, and it's certainly possible that modifying the firewall routing also modifies other parts of the stack, too. Basically what I'm saying at this point is that all normal, established IP knowhow is thrown out of the window when you're dealing with a firewall and you have to know the ins and outs of the firewall itself.

Nothing you've described is wrong. It's just that the Linux firewall doesn't like it for some reason. I've had virtually the same setup with OpenBSD and not had this problem at all. It's just quirky.