Ok, firstly, MAC addresses dont transcend subnets.
So anything packets coming from the internet cant be matched by mac address..
Secondly, I really suggest looking at the flowchart and table in the link i posted above. Which accurately describes the flow of packets through the iptables chains, as well as what each chain is used for..
Thirdly, as an example, i use MAC filtering for my wireless LAN.
iptables -A FORWARD -p tcp -i eth2 -o ppp0 -m mac --mac-source 00:02:8a:47:eb:63 -m multiport --dports 20,21,5801,80,443 -m comment --comment "Accept FTP, SSH, HTTP/S" -j ACCEPT
I then have a catch all drop policy
iptables -A FORRWARD -m comment --comment "Default Policy" -j LOG_DROP
(note: I have my set up a little different to what i see most people use, so ive modified this for a more normal setup, but it should give the general idea.. )
This will ACCEPT any packets with a mac source as stated, on the stated ports, and drop everything else..
And so I must use either OUTPUT chain or FORWARD chain.. Now I cant use OUTPUT chain (as its MAC).. In case of FORWARD chain, if I forward these packets to it then how will I drop it??? I mean, I would definitely have other rules which would also forward their packet to this chain so if I drop everything, it will again be a problem....
I can't understand what you are trying to say here...