You can have your chains grouped in pretty much any order you want. What matters is the order of the rules within each chain itself. For example, this:
Code:
iptables -t nat -A PREROUTING -i eth3 \
-j DNAT --to-destination 192.168.55.36
iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE
iptables -A INPUT -p TCP -s 192.168.10.101 -j DROP
iptables -A FORWARD -p TCP -i eth0 -o eth1 -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
Is the same as this:
Code:
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p TCP -s 192.168.10.101 -j DROP
iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE
iptables -A FORWARD -p TCP -i eth0 -o eth1 -j DROP
iptables -t nat -A PREROUTING -i eth3 \
-j DNAT --to-destination 192.168.55.36
But this:
Code:
iptables -A FORWARD -p TCP -j ACCEPT
iptables -A FORWARD -p TCP --dport 80 -j DROP
Is NOT the same as this:
Code:
iptables -A FORWARD -p TCP --dport 80 -j DROP
iptables -A FORWARD -p TCP -j ACCEPT
The latter would filter HTTP packets, while the former would allow them, as any TCP packets would get sent to ACCEPT and wouldn't even get to the DROP rule.