Iptable rules are not ignored for LAN, you just have to watch out at what position you place the rules.
In iptables -vL format
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
-------- ** Accepts existing connections
0 0 other2wan all -- !br0 eth0 anywhere anywhere
-------- ** Chain dealing with outgoing traffic not originating from LAN ( Used to DROP any non Tunneled/Local --> WAN traffic)
0 0 DROP all -- any any anywhere anywhere state INVALID
-------- ** Drops any invalid packets
0 0 ACCEPT all -- br0 br0 anywhere anywhere
-------- **Accepts LAN to LAN traffic
0 0 NSFW all -- any any anywhere anywhere
-------- ** Chain dealing with outgoing LAN -> WAN traffic ( Used to DROP user defined traffic in WebUI Net Service Filter)
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT
-------- ** Accept traffic resulting from a Port Forward
0 0 OVPN all -- any any anywhere anywhere state NEW
-------- ** Chain used for OpenVPN tunnel interfaces
0 0 ACCEPT all -- br0 any anywhere anywhere
-------- ** Accept outgoing traffic originating from LAN
In human readable / input format.
Code:
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j other2wan
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -i br0 -j ACCEPT
Each packet is consulted via this filter from top to bottom, until it hits an ACCEPT/DROP/END OF THE LIST.
Eg.
Existing connections (not already dropped on first packet) will hit
ESTABLISHED ACCEPT
LAN2LAN communications will hit
br0 --> br0 ACCEPT
New connections will be consulted against
NSFW
Port forwards Connections will hit
ctstate DNAT ACCEPT
Else outgoing connections will hit the
br0 --> any ACCEPT
For your LAN filtering rule, you have to insert the rule the filtering rules above the
br0 --> br0 ACCEPT rule (-A FORWARD -i br0 -o br0 -j ACCEPT)