You could set the default policy for the FORWARD chain to DROP and then you just have to add for any client a firewall rule in which you specify the source IP and the source MAC and the target ACCEPT. Don’t forget to ACCEPT the incoming traffic from the WAN and other LANs.
