When I run iptables -L, I get reams and reams of junk. I've gone through it and understand more than half of it, but it seems like there are some rules there that I don't want, and there are some that I do that aren't there. I can manually tweak the chains a little bit (for instance, I manually disabled and reenabled forwarding 8079 on the gateway to 8080 on the Sun box via iptables -t nat -R blah blah blah... yay!) but I can't find where the rules live. Is there a cental config file that has all the rules?
I presume you're using SuSEFirewall2. It probably has a central config file, try "rpm -ql SuSEfirewall2 | grep etc". There will also be one or more scripts in /etc/init.d/ that start up and stop the packet filter. You can read those to find out how the thing actually works. I don't use SFw2 myself (I prefer to roll my own), so I can't give you anything more specific.
If I change things via the command line,
By using the iptables command, as you have already been doing.
and like my changes, how do I make them effective after a restart?
You need to change the config file and perhaps the SFw2 scripts for this.
Another thing I can't figure out is how to allow the internal network to access my domain just like an outside user would; for instance, I'm at 192.168.0.1 and I want to hit http://example.com, which is currently DNATed to 192.168.0.3:80 -- how can I tweak my config such that 192.168.0.1 can surf to http://example.com and have everything get resolved OK?
Well, I wouldn't even attempt to do that with IP packet munging, but would instead use internal DNS server and DNS cache to present data of example.com to the inside than the Internet sees. Cheers, Tobias