# Make sure br1 has access to the internet:
#iptables -I INPUT -i br1 -j ACCEPT
iptables -I FORWARD -i br1 -o vlan2 -j ACCEPT

# Keep the two wireless networks from talking to each other:
iptables -I FORWARD -i br0 -o br1 -j DROP
iptables -I FORWARD -i br1 -o br0 -j DROP

br1 - сеть 192.168.30.0/24                 br0 - сеть 192.168.10.0/24

В правилах по сути следующие, br1 не может иметь доступ к br0 но интернет со всеми вытекающими на br1 должен быть.

# Block access from guest lan to private subnets

iptables -I FORWARD -i br1 -d 10.0.0.0/8 -j DROP
iptables -I FORWARD -i br1 -d 172.16.0.0/12 -j DROP
iptables -I FORWARD -i br1 -d 192.168.0.0/16 -j DROP

# Keep guest lan from accessing the router:

iptables -I INPUT -i br1 -p tcp --dport telnet -j DROP
iptables -I INPUT -i br1 -p tcp --dport ssh -j DROP
iptables -I INPUT -i br1 -p tcp --dport www -j DROP
iptables -I INPUT -i br1 -p tcp --dport https -j DROP
iptables -I INPUT -i br1 -p icmp -j DROP