This is basically what I did to allow guest wi-fi to access the LAN DNS server. wl0.1 is the guest wifi, 192.168.1.50 is the DNS server; it may be different for you depending on how you set it up.
In /jffs/scripts/firewall-start I added this:
# Rules for wl0.1 - force routing so traffic doesn't go thru bridge
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP
# traffic coming to (not thru) the router itself from guest wireless
# allow DHCP and DNS (for fallback), block everything else
/usr/sbin/iptables -I INPUT -i wl0.1 -j logdrop
/usr/sbin/iptables -I INPUT -i wl0.1 -p udp --dport 53 -j ACCEPT
/usr/sbin/iptables -I INPUT -i wl0.1 -p udp --dport 67:68 -j ACCEPT
# let guest network connect to Internet and local DNS server but nothing else (not even each other?)
# $1 is WAN interface
/usr/sbin/iptables -I FORWARD -i wl0.1 -o $1 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i wl0.1 -o !$1 -j logdrop
/usr/sbin/iptables -I FORWARD -i wl0.1 -d 192.168.1.50 -p udp --dport 53 -j ACCEPT
For the printer example, change the last line to be your printer IP (and restrict other stuff like ports/protocol if you want) like this:
/usr/sbin/iptables -I FORWARD -i wl0.1 -d <printer-ip> -j ACCEPT
Hope this helps, I got most of this from other threads and the nice people on this forum.
