source nat problems

[marcomas@libero.it]

Hello,

I have a problem with SNAT. So I'm a bit confuse about how 
INPUT/OUTPUT/FORWARD POSTROUTING/PREROUTING work. I've read
NAT howto but I have not found a clear example, sigh.

I want to translate these lines taken from an example found in 
ipchains howto.

This is the network for my tests.
 
   LAN           FIRE         LAN
+--+      .                 .    +--+
|  |------|      +---+      |----|  |         
+--+      |------|0 1|------|    +--+
+--+      |      +---+      |
|  |------|                 .
+--+      .

...
ipchains -A good-bad -p tcp --dport www -j MASQ
ipchains -A good-bad -p tcp --dport ssh -j MASQ
...
ipchains -A good-bad -j REJECT -l

ipchains -A bad-good -j REJECT

Now, how can I translate these lines ?

I try

iptables -A good-bad -p tcp --dport www -j ACCEPT
iptables -A good-bad -p tcp --dport ssh -j ACCEPT
...
iptables -A good-bad -j LOG --log-level info --log-prefix "Fire:"
iptables -A good-bad -j REJECT
iptables -A POSTROUTING -o eth1 -j SNAT --to $MASQ_ADDR

iptables -A bad-good -j REJECT

Now, I think that masquerade packets shold be accepted and others packet 
s no. 
Ok, this don't work, packets go out but don't come back, they are 
dropped.
if I add:
iptables -I bad-good -p tcp --sport www -j ACCEPT
www packets are accepted and www works.
 
Why ? Where are the mistakes ? I'm a beginner, so be patience ... 

Ciao from Italy.