These are the basic rules I use, which ensure that 10.0.0.1 to 10.0.0.4 (my router and SBC's) can query any upstream server, while everything else is forced to go to $pihole
If you're using Tomato, please turn off the "Redirect Port 53" checkbox under Advanced DNS/DHCP settings.
When implementing this, make sure to test everything first! Change your primary computer's DNS to something that you don't use. If your Pi-hole upstream is Cloudflare, then set your primary computer's DNS to Google, or vice versa. Then, run a DNS leak test to confirm your computer is using Google. Apply the iptable rules, and then confirm you're using Cloudflare. You can then remove Google which you've added manually to your primary computer.
Finally, run an Open DNS resolver test to ensure that you've set -i "<lan network interface>" correctly. You could also do ! -i "<wan network interface>" such as ! -i "ppp0".
pihole="10.0.0.2"
# If DNS query outside source range is not sent to destination range, redirect it to the primary DNS server
iptables -t nat -A PREROUTING -p tcp -i "br0" -m iprange ! --src-range "10.0.0.1"-"10.0.0.4" ! --dst-range "10.0.0.1"-"10.0.0.4" --dport 53 -j DNAT --to-destination "${pihole}"
iptables -t nat -A PREROUTING -p udp -i "br0" -m iprange ! --src-range "10.0.0.1"-"10.0.0.4" ! --dst-range "10.0.0.1"-"10.0.0.4" --dport 53 -j DNAT --to-destination "${pihole}"
# Ensure transparent DNS interception
iptables -t nat -A POSTROUTING -j MASQUERADE
If you've got a router that has some kind of firewall-up script, put this in there and it'll be automatically applied when the router reboots.