Since you haven't given us much to work with, here are couple suggestions.
1) Remember that iptables compares a packet header against the rules sequentially.
Code:
iptables -A INPUT -p tcp --dport 80 -s x.x.x.x -j DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
In this case, packets matching the source IP x.x.x.x will never be compared against the second rule, because they are finished being processed at the point of the first rule.
2) Use "watch iptables -t $Table -nvL $Chain" and generate some relevant traffic to watch the packet/byte counters increasing to diagnose what rule is affecting that traffic.
3)
Quote:
additionally, please share security considerations for the nat table, i mean if it's enough that MASQUERADE rule alone and the drop rules at the filter table for security
|
The nat table isn't really a security thing. Sure there may be more or less secure ways of doing NAT, but no packet filtering takes place in the nat table.
This link has some good descriptions of the purposes of the tables/chains, targets/jumps, and different methods of matching packets.
I also recommend reading the man page, cover to cover, a few times..
And finally, also remember you can run "iptables -m $module --help" for info on additional options for iptables modules.