Well, it’s been another fun evening battling with iptables.
The goal is simple: allow access for specific things across the router, and drop/reject everything else.
Client connecting from specific IP must be able to connect on port 80 and be redirected to the transparent proxy on the same machine (done, tested, working)
Client connecting from same specific IP must be able to connect out on ports 25, 53(udp), 110, 143, 443, etc, unhindered (with space to reject more specifically later)
Reject/drop everything else from that IP.
Allow anything else traversing the system (or beginning/ending there) to be handled separately.
Seems easy enough, but it seems I can make one happen but not the other. But tomorrow is another day.