Using firewall rules. I create rules that allows everything on the private network interface (br0) to be forwarded to any other network interfaces, be it the guest (br1) or iot (br2).
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i br0 -o br+ -j ACCEPT
iptables -A FORWARD -i br+ -o br+ -j REJECT
br+ is a wildcard. It will match on any network interface beginning w/ br.
The last rule blocks *all* communications between the network interfaces. But it's tested last. Before it, I make an exception to allow br0 access to any other network interfaces. But I also need the ESTABLISHED rule before it because I still need to allow devices on br1 and br2 to minimally *reply* to any contact initiated from br0. But any attempt by br1 or br2 to *initiate* contact w/ any other network interfaces hits the last rule, thus blocking it.
Of course, I'm just cherry-picking rules here out of a much larger set of rules I apply to manage access between devices. It's only intended to show how it's possible to allow connections to be established in one direction.