Limiting internet access by time

On a stretch box I have, I want to allow access to the Internet between the hours of 9am and 9pm and block it between 9pm and 9am. Ideally allow local network access throughout but block Internet access between 9pm and 9am, but I can accept total network blockage in the off times if necessary.

The machine is used as a desktop, so it is not up all the time. It might be brought up before 9am, in which case it should come up blocked and unblock at 9am, or it may be brought up after 9am, in which case it should come up unblocked and block if it is still up at 9pm. Time precision isn't important.

An ideal solution would allow dhcp updates, ntp etc to continue but block any normal user access eg web browsing etc.

I've got a solution in mind and would like to see if the community has any better ideas.

I'm thinking of installing iptables, creating an iptables script that blocks Internet access (not local addresses) except ntp and dhcp, and another to open everything up again, and using a systemd service that runs a script to check the time and run the appropriate iptables script. That service then gets linked in multi-user.wants to get run at startup. Then cron jobs can take care of the 9am and 9pm switch overs, calling the same scripts as appropriate.

Is there a better way to do this?

Mark