Iptables 规则顺序

我有以下脚本，是我在互联网上的某个地方找到的，我对其进行了一些修改以满足我的需要。

我的问题是：如果我理解了 iptables-save 的输出，我的 iptables 规则就是正确的，但我只是想确保一下。

这是我的.sh 文件：

#!/bin/bash
ISO="af cn th vn in bd pk"

### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep

### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"

cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}

# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# clean old rules
cleanOldRules

# create a new iptables list
$IPT -N $SPAMLIST







for c  in $ISO
do
        # local zone file
        tDB=$ZONEROOT/$c.zone

        # get fresh zone file
        $WGET -O $tDB $DLROOT/$c.zone

        # country specific log message
        SPAMDROPMSG="$c Country Drop"

        # get
        BADIPS=$(egrep -v "^#|^$" $tDB)
        for ipblock in $BADIPS
        do
          # $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
           $IPT -A $SPAMLIST -s $ipblock -j DROP
        done
        sleep 3
done


$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST

#My part
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
$IPT -A INPUT -s 188.92.161.49/32 -j ACCEPT
$IPT -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 25 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A INPUT -s 188.92.163.198/32 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 25 -j DROP
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
$IPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited
$IPT -A INPUT -j REJECT --reject-with icmp-host-prohibited


exit 0

iptables 保存的输出

# Generated by iptables-save v1.4.10 on Thu May  9 17:00:59 2013
*mangle
:PREROUTING ACCEPT [128952:24289058]
:INPUT ACCEPT [128944:24288514]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [180927:208852344]
:POSTROUTING ACCEPT [180927:208852344]
COMMIT
# Completed on Thu May  9 17:00:59 2013
# Generated by iptables-save v1.4.10 on Thu May  9 17:00:59 2013
*nat
:PREROUTING ACCEPT [3169:170149]
:INPUT ACCEPT [3118:164866]
:OUTPUT ACCEPT [909:54321]
:POSTROUTING ACCEPT [909:54321]
COMMIT
# Completed on Thu May  9 17:00:59 2013
# Generated by iptables-save v1.4.10 on Thu May  9 17:00:59 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [134106:154955595]
:countrydrop - [0:0]
-A INPUT -j countrydrop
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j countrydrop
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j countrydrop
-A countrydrop -s 202.56.176.0/20 -j DROP
-A countrydrop -s 202.86.16.0/20 -j DROP
-A countrydrop -s 203.174.27.0/24 -j DROP
-A countrydrop -s 203.215.32.0/20 -j DROP
-A countrydrop -s 210.80.0.0/19 -j DROP
-A countrydrop -s 210.80.32.0/19 -j DROP
-A countrydrop -s 91.109.216.0/21 -j DROP
-A countrydrop -s 193.201.151.64/26 -j DROP
-A countrydrop -s 192.124.154.0/24 -j DROP

如果我理解正确的话，首先流量会被导向 countrydrop，然后再导向我的规则。

我对吗？