Last active
February 4, 2023 09:21
-
-
Save kylemanna/877087071ce2f2d06bd7ff0c822cbede to your computer and use it in GitHub Desktop.
ATT UVerse Disable Drop DHCP for temproary 192.168.1.64 address on BGW320 and block Bogons/DDoS packets using nftables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/sbin/nft -f | |
# | |
# Can't block DHCP like a normal service beacuse it use raw sockets and bypasses nftables filter chains. Instead use and ingress chain. | |
# | |
flush table netdev filter | |
table netdev filter { | |
# Earliest filtering chain | |
chain ingress { | |
type filter hook ingress device wan0 priority -500; | |
ip frag-off & 0x1fff != 0 counter drop comment "IP fragments" | |
ip daddr 192.168.1.0/24 counter drop comment "Block BGW320-505 temporary 192.168.1.64 DHCP IP, wait for passthrough IP" | |
ip saddr 192.168.1.254 counter accept comment "UVerse BGW320-505 Modem for gateway monitoring + config" | |
ip saddr { \ | |
0.0.0.0/8, \ | |
10.0.0.0/8, \ | |
100.64.0.0/10, \ | |
127.0.0.0/8, \ | |
169.254.0.0/16, \ | |
172.16.0.0/12, \ | |
192.0.0.0/24, \ | |
192.0.2.0/24, \ | |
192.168.0.0/16, \ | |
198.18.0.0/15, \ | |
198.51.100.0/24, \ | |
203.0.113.0/24, \ | |
224.0.0.0/3 \ | |
} counter drop comment "IP Bogons" | |
tcp flags & (fin|psh|urg) == fin|psh|urg counter drop comment "TCP XMAS" | |
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop comment "TCP NULL" | |
tcp flags syn tcp option maxseg size 1-535 counter drop comment "TCP MSS" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment