For example if you want to block class 10.97.20.x and allow only som of the to have access you can do that like this
ip firewall rule forward add src-address=10.97.20.98/32 action=acept
ip firewall rule forward add action=drop
the last rule will drop everything and if you want to allow clients to have acces after you have set this rule you can do it
ip firewall rule forward add src-address=10.97.20.x/32 action=acept place-before=0
Hope that this will help.