Hello,
I'd like to suggest you a different solution: instead of blocking ports, you could block dns requests made for resolving names used for google update service. Using tcpdump from RUT950 console you can intercept requests for ggpht.com, android.clients.google.com and play.google.com; then take the hex strings corresponding to each domain and compose the rules for iptables using string module:
iptables -t mangle -A POSTROUTING -m string --algo bm --hex-string '|676770687403636f6d|' -j DROP
iptables -t mangle -A POSTROUTING -m string --algo bm --hex-string '|616e64726f696407636c69656e747306676f6f676c6503636f6d|' -j DROP
iptables -t mangle -A POSTROUTING -m string --algo bm --hex-string '|706c617906676f6f676c6503636f6d|' -j DROP
then put the them in the firewall custom rules.
For example ggpht.com corresponds in tcpdump to ggpht?com that in hex corresponds to 676770687403636f6d. The strings in the rules are closed in single quotes and pipes.
I hope that this can be util.