1) Regarding your first point (running sslstrip before IPtabel): don't want to see my own password in the log file
No, serious: didn't try that but makes sense. You probably do not even have to start the script first BUT you have to start it and it should not crash, otherwise you have to use ssh or the powercycle method to access the webinterface ...
2) Don't want to correct you :) . You are correct of course. I’m connecting from a different IP as you noted but not from 172.16.42.0/24 subnet.
3) Don't know if I got your idea but then it should be
iptables -t nat -A PREROUTING -s ! 172.16.42.42 -p tcp --dport 80 -j ACCEPT
Not testet, but as far as I remember the "!" add an exception
So it would NAT everything but the management station. Maybe there is a way to get the IP of the management host (connection log: Pineapple authpriv.notice dropbear[10456]: Password auth succeeded for 'root' from x.x.x.x) an add an auto exception for this IP just in case the management connects not from 172.16.42.42.
Was also only a little brainstorming. Maybe it's getting a little too complicated now and you better add only the standard iptable rules as planed and everyone needs to change it, can change the config file where the iptable commands are defined