Further to the other good answers, I recently had to use the mangle table to adjust for MTU (maximum transmission unit) discrepancies caused by traffic being brought through PPPoE, PPP, and ATM, each of which adds overhead that reduces the payload available for IP from the usual 1500 bytes of an Ethernet frame.
Systems on each end of the pipe, as is normal, would have their MTU at the regular default of 1500 and so they would try to send IP frames that large. Since the actual payload size available was smaller, this would have caused packet fragmentation, except that often the sender will request that packets not be fragmented, and as such they end up getting dropped entirely.
In an ideal world, path MTU discovery would have allowed the endpoints to adjust their MTU down as needed, but this discovery depends upon ICMP, and networks outside of my control were often configured to drop ICMP for security reasons.
The only choice was to use packet mangling in my router in order to modify TCP SYN packets to lower the maximum segment size at the transport layer:
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452
This sort of thing is messy and ideally should be avoided, but I had no other options and this did solve the problem.
Hope these examples help, as well as the man page.
Best Answer
Iptables (and most firewall software) operates on a concept of first match wins, so if the rules are in the order posted above, the ACCEPT will match first and will be the effective policy applied to the packet.