allow forward for specific in/out interface:

iptables -I FORWARD --in-interface <name> --out-interface <name> -j ACCEPT

mark packet:

iptables -t mangle -I PREROUTING --in-interface <name> -j MARK --set-mark 0x10086

postrouting masquerade:

iptables -t nat -I POSTROUTING --out-interface <name> -j MASQUERADE --match <value>

prerouting masquerade:

iptables -t nat -I PREROUTING --in-interface <name> -j MASQUERADE --match <value>