I am a bit confused about all five chains in IP/Firewall.
can you show me how i can mark traffic and which is the best way to look at the packets before marking them (which chain to choose) and depending on what criteria etc.
input output forward prerouting and postrouting
Thanks 
Well, it pretty much depends on what you’re up to with your packet marking 
The input chain deals with all packets terminating in the router (i.e. the router is the destination of communication).
The output chain covers all packets originating from the router (when the router itself opens a connection).
The forward chain covers all packets traversing the router (routing, NAT, etc).
The prerouting chain jumps in before a routing decision is made, the postrouting chain tereafter.
Have look at the new packet flow diagram to understand it better.
Additionally, look at the Mangle examples in the mangle wiki article.
-Chris
Thank you 