Block access to internet to specific device in OpenWRT (24)

block_internet_openwrt.sh

# remove old/broken sections if they exist
uci -q delete firewall.lan_only_ips
uci -q delete firewall.allow_lan_only_to_lan
uci -q delete firewall.block_lan_only_to_wan

# create ipset (fw4 still accepts config ipset, but it MUST have match fields)
uci set firewall.lan_only_ips='ipset'
uci set firewall.lan_only_ips.name='lan_only_ips'
uci set firewall.lan_only_ips.family='ipv4'
uci add_list firewall.lan_only_ips.match='src_net'
uci add_list firewall.lan_only_ips.entry='XXX.XXX.XXX.XXX/32'

# allow those IPs to talk to LAN (intra-lan)
uci set firewall.allow_lan_only_to_lan='rule'
uci set firewall.allow_lan_only_to_lan.name='Allow lan-only IPs to LAN'
uci set firewall.allow_lan_only_to_lan.src='lan'
uci set firewall.allow_lan_only_to_lan.dest='lan'
uci set firewall.allow_lan_only_to_lan.proto='all'
uci set firewall.allow_lan_only_to_lan.ipset='lan_only_ips src'
uci set firewall.allow_lan_only_to_lan.target='ACCEPT'

# block those IPs from WAN
uci set firewall.block_lan_only_to_wan='rule'
uci set firewall.block_lan_only_to_wan.name='Block lan-only IPs to WAN'
uci set firewall.block_lan_only_to_wan.src='lan'
uci set firewall.block_lan_only_to_wan.dest='wan'
uci set firewall.block_lan_only_to_wan.proto='all'
uci set firewall.block_lan_only_to_wan.ipset='lan_only_ips src'
uci set firewall.block_lan_only_to_wan.target='REJECT'

uci commit firewall
/etc/init.d/firewall restart