If you don't use external storage (/opt on a flash drive, for example), anything you put in a custom script will disappear at boot when the internal filesystem is re-initialized. Only the contents of the nvram survive. The point of the Startup and Firewall blocks in GUI>Administration>Commands is that they are stored in nvram and run automatically at the appropriate times.
Re your details... you appear to have two separate attempts at a firewall here. The "in firewall" one needs its nvram get wan_iface enclosed in either of two equivalent notations so that its output when interpreted as a command becomes part of the iptables command. So either `nvram get wan_iface` or $(nvram get wan_iface) should work. The dd-wrt community seems to lean to the older backquote notation. The wider linux community seems inclined to favor the newer $( ) notation, which is certainly less likely to be misread by older eyes. So with that correction, your one-line kill switch
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -j DROP
would be an easy way to block absolutely everything from your main bridge (LAN ports and wifi, if you are not doing any guest-network or VAP things) to the WAN port. That DROP means that senders are given no notification that their packets have been tossed in the bit bucket. They just disappear.
Your ALTERNATIVE (i.e. don't do them both) version uses REJECT to discard packets while notifying their senders of the fact. That and resetting an attempted tcp connection means the sender doesn't have to wait around for a website reply, for example, that will never come. It looks like you got this one from Nord or from a post written by an author who got it from Nord, because it has an error that Nord has had on their website for at least years (because I got caught by this error when I first used Nord around two years ago). Basically there is no such animal as a UDP reset, and when the iptables command gets a malformed set of arguments, it does nothing. No actual firewall rule is created. The corrected version is this:
Either the one-line DROP command or this longer but kinder and gentler REJECT version goes directly into the Firewall section in GUI>Administration>Commands. There is no separate script (for this), and there is nothing (for this) in Startup. You can do iptables -vnL FORWARD in the ssh/PuTTY CLI and see the three firewall rules it created, along with many default rules with other purposes. Most likely your rules will be the only ones featuring REJECT, so they will be easy to spot, and their order will be reversed relative to your code. If any of the three are missing, look for an error in your code that may have caused iptables to balk. When packets are actually rejected, the numbers in the left two columns will tick upward off of zero. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
You don't need a "custom script" on that page. Because you never invoke the script, it does nothing except use up memory. You only need the Firewall section. To get rid of the custom script, with the Commands window at the top empty, click Save Custom at the bottom. It will copy the nothingness of the Commands window to the Custom Script section.
If your Firewall section somehow ended up with an extra newline, as you suggest, just click the Edit button in the Firewall window, which will copy the contents of that window to the Commands window at the top. Then in the Commands window, edit as needed, in this case to remove the extra newline. Finally, the Save Firewall button at the bottom will then move the contents of the Command window to the Firewall window again.
You can grab the lower-right corner of any of these windows with the mouse and stretch the window to a convenient size for editing or viewing. Also, anywhere I have multiple spaces together in the commands, you can use just one space if you like. In linux commands, any amount of whitespace generally functions the same as any other amount. I used more than one just because the bboard formatting was making the spaces so narrow they were hard to see.
Thanks for flagging yourself as a novice. It helps to know to whom you are writing, and there'll be plenty of novice readers who can benefit. And of course we were all there at one point! _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.