hi friends.this is my first post here.i've always got good answer from google that show its in this forums.
i've just learned simple iptables.
i have set firewall for centos of 192.168.1.21 server like this.
it has a gateway of 192.168.1.2

iptables -P INPUT DROP
iptables -A INPUT --in-interface lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EB:91:00:01 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 80 -m mac --mac-source 00:0F:EB:91:00:01 -j ACCEPT

the mac source is my laptop's mac address.
But when i try to ping from my laptop of 192.168.0.2 (my gateway is 192.168.0.1 but share the same server that has 3 network gateway including gateway for the centos)it failed.
what i should do to enable this ping.i also cannot connect to the centos server unless i change my ip to 192.168.1.x and same gateway as centos.can someone suggest what should i modify my firewall to enable connection to centos server from my 192.168.0.2 laptop? is that related to nat and forward chain in firewall of centos?
can someone suggest me what book is good to start learn linux firewall?

To allow your server to receive pings you'll need to do something like:As for the other issue: If you're going through a router/gateway, the MAC address the other side sees will be that of its gateway, not the original host. Your MAC address is only used to get the frame to a router (or to another host on the same network). The router then strips your MAC, replacing it with its own as it sends it down the next link. With that in mind, it makes perfect sense that your rules won't work unless your laptop is on the same network as your server.

A good iptables tutorial is here.

oh, thank you very much win32sux. Your explanations is very logical.maybe some of the answer is i may need to permit access only from the mac address of my gateway?but it won't give good security as what i want. others is i may also permit access from certain ip too from 192.168.0.x.im just afraid the spoofing of ipaddress and macaddress will break the security.maybe i should think other techniques. thanx again win32sux!