You should not use the BRIDGE00 interface in your iptables rules, but its components VPN00 and ETH00 and then make no sense to use NEW and ESTABLISHED together.
If for example you want that only the connections initiated from your LAN are forwarded to the VPN you just have to configure the firewall to look like the following:
Chain FORWARD (policy ACCEPT 7 packets, 588 bytes)
pkts bytes target prot opt in out source destination
8 672 ACCEPT all — VPN00 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all — VPN00 * 0.0.0.0/0 0.0.0.0/0