Scott Kaforey
Occasional Visitor
I have a SunPower Solar Monitoring system. SunPower went bankrupt and a new company took over and has been sending firmware updates that are slowly putting more and more things that used to be free, behind a paywall.
This devices can access the internet via 3 methods, hardwired internet connection, wifi connection, powerline wifi connection. I have these all set to static ip's of 192.168.1.91-93.
I want to block the device from receiving updates. From what I've been told, I basically need to block the device from everything external except for 8.8.8.8 and google.com.
I asked Gemini how to do this on my Asus router running Merlin firmware. Here is what it gave me. Note, I already have jfss enabled and some custom dnsmasq stuff, so I'm familiar with how to login and modify things/scripts.
It said to put the following in firewall-start script in /jffs/configs:
How does this look?
This devices can access the internet via 3 methods, hardwired internet connection, wifi connection, powerline wifi connection. I have these all set to static ip's of 192.168.1.91-93.
I want to block the device from receiving updates. From what I've been told, I basically need to block the device from everything external except for 8.8.8.8 and google.com.
I asked Gemini how to do this on my Asus router running Merlin firmware. Here is what it gave me. Note, I already have jfss enabled and some custom dnsmasq stuff, so I'm familiar with how to login and modify things/scripts.
It said to put the following in firewall-start script in /jffs/configs:
Code:
#!/bin/sh
# --- Configuration ---
# Enter the local IP addresses (separated by spaces) you want to restrict.
SRC_IPS="192.168.1.91 192.168.1.92 192.168.1.93"
# --- Rule Implementation ---
# Create a new chain to handle the traffic from our specific devices.
iptables -N RESTRICTED_ACCESS 2>/dev/null
# Ensure the chain is empty before adding rules.
iptables -F RESTRICTED_ACCESS
# For each IP in our list, direct its traffic to our new chain.
for SRC_IP in $SRC_IPS; do
# We delete any old rule first to prevent duplicates on script restart.
iptables -D FORWARD -s $SRC_IP -j RESTRICTED_ACCESS 2>/dev/null
# We insert the rule at the top of the FORWARD chain.
iptables -I FORWARD -s $SRC_IP -j RESTRICTED_ACCESS
done
# --- Rules for the RESTRICTED_ACCESS chain ---
# These rules apply to any IP address routed into this chain.
# 1. Allow return traffic for established connections. This is essential.
iptables -A RESTRICTED_ACCESS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# 2. Allow access to Google's DNS server (8.8.8.8).
# This is needed for DNS lookups (like resolving www.google.com).
iptables -A RESTRICTED_ACCESS -d 8.8.8.8 -j ACCEPT
# 3. Allow access to www.google.com.
# This command looks up the current IP addresses for the domain and adds a rule for each.
# This list is updated every time the firewall restarts (e.g., router reboot).
for ip in $(nslookup www.google.com | grep '^Address: ' | awk '{print $2}'); do
iptables -A RESTRICTED_ACCESS -d $ip -j ACCEPT
done
# 4. Block all other internet access from this device.
# This is the last rule in our chain. Any traffic not allowed above will be dropped.
iptables -A RESTRICTED_ACCESS -j DROPHow does this look?
