Hello,
I currently run ARM devices on Yocto and Buildroot and have experience with access points having developed coin-based internet access gateways and other devices.
Whilst it would be good to base the configuration on the exact module you are developing I believe we can get close on generic ARM Linux. The only thing I noticed in your requirements was to block internet access based on IP address. This is probably not very effective as a user, with sufficient knowledge, can change their IP address to static bypassing both DHCP and ip-level security. A more effective strategy would be to block access based on MAC address which is more difficult to spoof especially from consumer gadgets.
Lastly without some sort of layer 7 application filter blocking access to domain-based sites would not be possible. At most you would be able to implement some sort of DNS-based null routing but if a user typed in the IP address the traffic would still pass. To block by IP is cumbersome as most sites are behind a few publicly exposed IP addresses in the case of Cloudflare-protected sites. Thus to block these IPs would block probably 40% of the Internet.
I am more than happy to discuss more at your convenience.
Warmest Regards,
Stephen Lombard