I didn't have any luck - tried with br0, ath0, eth0 and eth1 interfaces - but in all cases I could still connect to that ip address - e.g. "telnet 22.214.171.124 80" on the desktop would still connect and return output from the web server. But thank you for the suggestion.
I've just updated to this beta from yesterday: "Release: 05/06/15 (SVN revision: 26839)", but the problem persists unfortunately (i.e. from the desktop can still successfully ping and telnet on port 80 to the internet address).
It feels almost like Ethernet is using a hardware-only switch so iptables commands do nothing, whereas for WiFi clients it has a software layer too so the iptables commands do something.
As far as I'm aware, NAT is not enabled, and it's LAN -> WAN traffic, but the iptables command seems to have no effect.
The reason I say that NAT is not enabled is that according to this page: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=78029 , NAT can be turned off by going to the WebGUI and then "Setup > Advanced Routing change the Operating Mode from Gateway to Router". And that is how it is set (i.e. already in Router operating mode).
I'm sure the modem is doing NAT, but the DD-WRT sits just before the modem, and the modem is the LAN's gateway. So to get to that Internet IP address, any traffic from the desktop goes directly to the DD-WRT unit (via ethernet), then directly to the modem (also via ethernet), then it leaves the LAN via ADSL, and goes off into the Internet.
Ah, okay, thank you. My modem isn't modern enough or smart enough to allow proper iptables, or even a command prompt. Hence why I'm trying to put any function that requires smarts into the dd-wrt unit and have the modem just provide an ethernet connection to the Internet.
So it sounds like dd-wrt can do iptables rules for direct WiFi connections, or for ethernet packets that are exiting or entering a network via that dd-wrt unit, but it can't do iptables on ethernet packets travelling through it acting as a LAN switch.
What I'm hoping is that in the future nftables, which is supposed to unify ebtables and iptables and others, will be added in dd-wrt, and will be able to know whether to use ebtables or iptables in this situation (it certainly wasn't obvious beforehand to me), and will automatically do the right thing. That would make life simpler, I think, and fingers-crossed that happens in the years ahead.