What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Firewall rule to block firmware updates

Scott Kaforey

Occasional Visitor
I have a SunPower Solar Monitoring system. SunPower went bankrupt and a new company took over and has been sending firmware updates that are slowly putting more and more things that used to be free, behind a paywall.
This devices can access the internet via 3 methods, hardwired internet connection, wifi connection, powerline wifi connection. I have these all set to static ip's of 192.168.1.91-93.

I want to block the device from receiving updates. From what I've been told, I basically need to block the device from everything external except for 8.8.8.8 and google.com.

I asked Gemini how to do this on my Asus router running Merlin firmware. Here is what it gave me. Note, I already have jfss enabled and some custom dnsmasq stuff, so I'm familiar with how to login and modify things/scripts.

It said to put the following in firewall-start script in /jffs/configs:
Code:
#!/bin/sh

# --- Configuration ---
# Enter the local IP addresses (separated by spaces) you want to restrict.
SRC_IPS="192.168.1.91 192.168.1.92 192.168.1.93"

# --- Rule Implementation ---

# Create a new chain to handle the traffic from our specific devices.
iptables -N RESTRICTED_ACCESS 2>/dev/null

# Ensure the chain is empty before adding rules.
iptables -F RESTRICTED_ACCESS

# For each IP in our list, direct its traffic to our new chain.
for SRC_IP in $SRC_IPS; do
  # We delete any old rule first to prevent duplicates on script restart.
  iptables -D FORWARD -s $SRC_IP -j RESTRICTED_ACCESS 2>/dev/null
  # We insert the rule at the top of the FORWARD chain.
  iptables -I FORWARD -s $SRC_IP -j RESTRICTED_ACCESS
done

# --- Rules for the RESTRICTED_ACCESS chain ---
# These rules apply to any IP address routed into this chain.

# 1. Allow return traffic for established connections. This is essential.
iptables -A RESTRICTED_ACCESS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# 2. Allow access to Google's DNS server (8.8.8.8).
# This is needed for DNS lookups (like resolving www.google.com).
iptables -A RESTRICTED_ACCESS -d 8.8.8.8 -j ACCEPT

# 3. Allow access to www.google.com.
# This command looks up the current IP addresses for the domain and adds a rule for each.
# This list is updated every time the firewall restarts (e.g., router reboot).
for ip in $(nslookup www.google.com | grep '^Address: ' | awk '{print $2}'); do
  iptables -A RESTRICTED_ACCESS -d $ip -j ACCEPT
done

# 4. Block all other internet access from this device.
# This is the last rule in our chain. Any traffic not allowed above will be dropped.
iptables -A RESTRICTED_ACCESS -j DROP

How does this look?
 
Not an expert on this, but if your router is set as dns server on the device, I don't think you need to enable google dns server. Am I wrong?
 
On the surface, the script looks alright. You will just have to test it to find out.
 
Just my preference, but I always build my own separate script first and do a test run before putting the contents into a startup script. That way, if something goes horribly wrong and ends up locking you out of your router, a simple reboot will get you back in. Comes from the school of hard knocks!!
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top