It is necessary to turn the computer with debian into a router:

sysctl net.ipv4.ip_forward=1 # Разрешаем шлюзу передавать транзитный трафик
iptables -F FORWARD # На всякий случай очистим цепочку FORWARD
# Разрешаем проходить пакетам по уже установленным соединениям
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Разрешаем исходящие соединения из локальной сети к интернет-хостам
iptables -A FORWARD -m conntrack --ctstate NEW -i eth1 -j ACCEPT
iptables -P FORWARD DROP # Весь остальной транзитный трафик — запрещаем.
iptables -t nat -F POSTROUTING # На всякий случай очистим цепочку POSTROUTING таблицы nat
# Маскарадим весь трафик, идущий через eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Read the iptables tutorial

#here there is a question: I forbid all local outgoing packets from eth0, but from eth1->eth0 - will it be considered ?
iptables -A OUTPUT -o etho -j DROP

With this rule, you will cut off access to the Internet from the Debian router itself. the packet first passes output and then postrouting. Here is a visual diagram:

iptables -tnat
won't work because -t nat will be valid.

#собственно думаю понятно, что я хотел сделать
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

you dropped all traffic forwarding. After the first rule, the subsequent ones will not work.

#принимаем только установленные
iptables -P INPUT DROP

You have restarted your computer. There are no established connections yet. how will you connect?

you dropped all traffic forwarding. After the first rule, the subsequent ones will not work.

how I dropped it:
iptables -P FORWARD DROP is the default policy
and added 2 allowing rules
about

won't work because -t nat will be valid.

honestly did not understand -t nat and -tnat - the same thing
established connections will appear on my initiative when I issue a connection request, not me ...

It's not very clear what you want to do. What is the address in DNAT, what are the addresses on the interfaces?
Not good. First you banned the forward, then you allowed it. Do you have more than two adapters there?
If you need to make a simple primitive NAT, as on ordinary routers, then this is done in a completely different way, without dnat, but with snat / masquerade.
iptables -t nat -A POSTROUTING -o <interface towards the internet> -j MASQUERADE
iptables -P FORWARD ACCEPT
sysctl -w net.ipv4.ip_forward=1
This is usually enough if you haven't screwed up elsewhere.