In the above "script", if you already have INPUT policy set to DROP (nothing that is explicitly allowed, is silently denied), the lower appended rule (mac address) won't of course work because it doesn't change anything. The curious thing is, if your INPUT is set to DROP for everything, how is it possible that somebody can connect to your server?
I think there's something else wrong too.
The user can still access the website from my server
Do you mean that the user can get to your server and using your server machine get access to the website (which is also in your server?) or what? Sounds like a very truly odd, bizarre and maybe bad setup. Maybe I'm misunderstanding this situation; could you be more specific? For example paste the whole script (unless that is it), perhaps in a shell script format (rather than "iptables format"), and be more clear about this whole thing; is the user using a separate machine from the server, the server itself or what and so on..