Firewall rule to block firmware updates

[Scott Kaforey]

I have a SunPower Solar Monitoring system. SunPower went bankrupt and a new company took over and has been sending firmware updates that are slowly putting more and more things that used to be free, behind a paywall.
This devices can access the internet via 3 methods, hardwired internet connection, wifi connection, powerline wifi connection. I have these all set to static ip's of 192.168.1.91-93.

I want to block the device from receiving updates. From what I've been told, I basically need to block the device from everything external except for 8.8.8.8 and google.com.

I asked Gemini how to do this on my Asus router running Merlin firmware. Here is what it gave me. Note, I already have jfss enabled and some custom dnsmasq stuff, so I'm familiar with how to login and modify things/scripts.

It said to put the following in firewall-start script in /jffs/configs:

#!/bin/sh

# --- Configuration ---
# Enter the local IP addresses (separated by spaces) you want to restrict.
SRC_IPS="192.168.1.91 192.168.1.92 192.168.1.93"

# --- Rule Implementation ---

# Create a new chain to handle the traffic from our specific devices.
iptables -N RESTRICTED_ACCESS 2>/dev/null

# Ensure the chain is empty before adding rules.
iptables -F RESTRICTED_ACCESS

# For each IP in our list, direct its traffic to our new chain.
for SRC_IP in $SRC_IPS; do
  # We delete any old rule first to prevent duplicates on script restart.
  iptables -D FORWARD -s $SRC_IP -j RESTRICTED_ACCESS 2>/dev/null
  # We insert the rule at the top of the FORWARD chain.
  iptables -I FORWARD -s $SRC_IP -j RESTRICTED_ACCESS
done

# --- Rules for the RESTRICTED_ACCESS chain ---
# These rules apply to any IP address routed into this chain.

# 1. Allow return traffic for established connections. This is essential.
iptables -A RESTRICTED_ACCESS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# 2. Allow access to Google's DNS server (8.8.8.8).
# This is needed for DNS lookups (like resolving www.google.com).
iptables -A RESTRICTED_ACCESS -d 8.8.8.8 -j ACCEPT

# 3. Allow access to www.google.com.
# This command looks up the current IP addresses for the domain and adds a rule for each.
# This list is updated every time the firewall restarts (e.g., router reboot).
for ip in $(nslookup www.google.com | grep '^Address: ' | awk '{print $2}'); do
  iptables -A RESTRICTED_ACCESS -d $ip -j ACCEPT
done

# 4. Block all other internet access from this device.
# This is the last rule in our chain. Any traffic not allowed above will be dropped.
iptables -A RESTRICTED_ACCESS -j DROP

How does this look?

 

[Poul Bak]

Not an expert on this, but if your router is set as dns server on the device, I don't think you need to enable google dns server. Am I wrong?

 

[Scott Kaforey]

Not an expert on this, but if your router is set as dns server on the device, I don't think you need to enable google dns server. Am I wrong?

Apparently the device checks a ping to google to detect if it has "internet"

 

[Jeffrey Young]

On the surface, the script looks alright. You will just have to test it to find out.

 

[Jeffrey Young]

Just my preference, but I always build my own separate script first and do a test run before putting the contents into a startup script. That way, if something goes horribly wrong and ends up locking you out of your router, a simple reboot will get you back in. Comes from the school of hard knocks!!