There are tables, which have many chains, each of which has many rules. A rule is a pair <packet criteria,target>
You keep going down a chain until a rule matches, then do what it says
A chain also has a default policy, which says what to do if no rules in it match

table: filter
chains: INPUT, FORWARD, OUTPUT

table: nat
chains: PREROUTING, OUTPUT, POSTROUTING

table: mangle
chains: PREROUTING, OUTPUT; INPUT, FORWARD, POSTROUTING

table: raw
chains: PREROUTING, OUTPUT

----
for nat, where eth0 is public interface
echo 1 > /proc/sys/net/ipv4/ip_forward 
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE