Using ebtables with hostapd to block outbound access from an IoT network

Question

I have a Raspberry Pi set up to control a number of local IoT devices, and needed them connected to the Internet to set them up initially, but want to prevent them from "phoning home" to a cloud server more regularly. I have connected the smart devices to a hostapd-powered access point using the Raspberry Pi, bridged them using a bridge br0 to my eth0 interface, but now I'm having trouble restricting devices on the wireless network from communicating outside the local network.

Relevant bits of my ifconfig output are as follows:

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.18  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ba27:ebff:fe8f:6637  prefixlen 64  scopeid 0x20<link>
        inet6 2a0e:cb01:22:4200:ba27:ebff:fe8f:6637  prefixlen 64  scopeid 0x0<global>
        inet6 fdaa:bbcc:ddee:0:ba27:ebff:fe8f:6637  prefixlen 64  scopeid 0x0<global>
        ether b8:27:eb:8f:66:37  txqueuelen 1000  (Ethernet)
        RX packets 1030237  bytes 662509131 (631.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 872280  bytes 115521631 (110.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.18  netmask 255.255.255.0  broadcast 192.168.1.255
        ether b8:27:eb:8f:66:37  txqueuelen 1000  (Ethernet)
        RX packets 1302889  bytes 707488434 (674.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 868337  bytes 119710458 (114.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 169.254.16.101  netmask 255.255.0.0  broadcast 169.254.255.255
        ether b8:27:eb:da:33:62  txqueuelen 1000  (Ethernet)
        RX packets 206395  bytes 24701387 (23.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 259922  bytes 56512014 (53.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I've currently tried using ebtables - this is my current config:

Bridge table: filter
Bridge chain: INPUT, entries: 1, policy: ACCEPT
-p IPv4 -i wlan0 --ip-dst ! 192.168.1.0/24 -j DROP
Bridge chain: FORWARD, entries: 3, policy: ACCEPT
-p IPv4 -i wlan0 -o wlan0 --ip-src 192.168.1.0/24 -j ACCEPT
-p IPv4 -i wlan0 -o wlan0 --ip-dst 192.168.1.0/24 -j ACCEPT
-i wlan0 -o wlan0 -j DROP
Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p IPv4 -o wlan0 --ip-src ! 192.168.1.0/24 -j DROP

However, this ruleset definitely isn't working - connecting my phone to it to test, I can access everything as normal. I'll admit I'm thrashing around a bit trying to find how some of these things work, so it's more than possible I'm missing something huge!

Help appreciated :)