The secrets of iptables ;-)

MAC filtering

If, for what reason ever (hopefully not for the purpose of security), you want to do filtering of MAC addresses, you can do this like this:
iptables -A INPUT -m mac --mac-source 00:CA:FE:BA:BE:23 -j ACCEPT

NAT

Source NAT

Source NAT is used, if you want to appear the packets coming from your host (say, 192.168.1.4) to come from an other host (say, 10.0.0.1). Source NAT obviously does not work with dynamic IPs, use masquerading for that.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.0.0.1

Masquerading

This is similar like Source NAT, the difference is that the translated source IP is not known. It's advisable to explicitly only masquerade requests from the IP(s) you want to allow access:
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j MASQUERADE
If you want to have a internal host, say 192.168.1.4 reachable on the internet, you can forward incoming requests to its IP like this:
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 \ -j DNAT --to 192.126.1.4:80
Wenn lokale Pakete (vom Rechner selbst) an diesen Port ebenfalls weitergeleitet werden sollen, muss zusätzlich diese Regel in die OUTPUT chain:

BIND

Setting up firewall rules for BIND is quite tricky, since it uses both UDP and TCP traffic (queries less than 512 bytes are transferred using UDP. Larger queries, like zone-transfers, are transferred using TCP) with different ports.
You could force named to use only port 53 as source port, but this is not recommended for security reasons.

Allow outgoing DNS requests

$HOST is the IP of your machine sending the requests $DNS is the of the DNS serve you are using (e.g. the nameserver of your ISP)
iptables -A OUTPUT -p udp -s $HOST --sport 1024:65535 -d $DNS --dport 53 \ -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s $DNS --sport 53 -d $HOST --dport 1024:65535 \ -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT-p tcp -s $HOST --sport 1024:65535 -d $DNS --dport 53 \ -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s $DNS --sport 53 -d $HOST --dport 1024:65535 \ -m state --state ESTABLISHED -j ACCEPT

Allow incoming DNS requests

This is needed if you operate your own DNS server, maybe as forwarder
$SERVER is the IP where BIND(named) is listing on port 53 for incoming DNS queries.
iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER --dport 53 \ -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -s $SERVER --sport 53 -d 0/0 --dport 1024:65535 \ -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 0/0 --sport 53 -d $SERVER --dport 53 -m state \ --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -s $SERVER --sport 53 -d 0/0 --dport 53 -m \ state --state ESTABLISHED -j ACCEPT
If you have a secondary DNS server that might request zone transfers, you'd have to add the TCP ports accordingly.