1 2 3 4 5
-A FORWARD -s 10.0.0.0/24 -d 192.168.1.1 -j ACCEPT -A FORWARD -s 10.0.0.0/24 -d 192.168.1.0/24 -j DROP # you could replace the `-s 10.0.0.0/24` with a `-i <interface-name>` to block # based on ethernet port rather than source address.