I have a few additional observations..
The iptables changes probably don't take effect unless you restart iptables (service iptables restart), and may not take effect until a router reboot or maybe restarting the entire network stack (service network restart). I have not tried either of the latter methods. I came upon this epiphany about restarting services because I'd mentioned to the kids that they were not allowed on the guest network and then today noticed at least one device still connected there with working internet access. That is until 8:30PM when the access restrictions take effect :) . I'll check again tomorrow.
While this iptables method seems effective (just like access restrictions -they connect to the SSID, they try to go to a web page, the device can't connect), this isn't quite what I was hoping for… I guess the idea is I tell them about what I've blocked. If they try to connect, they can't and then they would go back to the normal network out of frustration. My hope was actually that the guest network would reject their connection just like if they had put in the password incorrectly or something. Perhaps that's a feature request… mac filtering on a per ssid basis. or maybe even one of those guest networks that are unsecured but have a hotel-like splash screen with behind the scenes mac filtering. I know some of this is possible through other means but I really want the router to do it.