linux – Raspberry Pi wireless AP with user internet restriction

I setup a Raspberry Pi connecting to my home router using the eth0 interface and broadcast a SSID via wlan0 interface simply by installing the RaspAP (https://raspap.com).

Everything working as expected.

However, I would like this newly created SSID only allow device to access a specific IP address (e.g. 1.2.3.4 for my kids’ school web server).

I tried to configure the UFW rules

sudo ufw default deny outgoing

sudo ufw allow from 10.3.141.0/8 to 1.2.3.4

I found that the rule only applies to the pi itself but the iPad can still access anywhere.

Any thoughts is welcome.