Skip to content

Instantly share code, notes, and snippets.

@kylemanna
Last active February 4, 2023 09:21
Show Gist options
  • Save kylemanna/877087071ce2f2d06bd7ff0c822cbede to your computer and use it in GitHub Desktop.
Save kylemanna/877087071ce2f2d06bd7ff0c822cbede to your computer and use it in GitHub Desktop.
ATT UVerse Disable Drop DHCP for temproary 192.168.1.64 address on BGW320 and block Bogons/DDoS packets using nftables
#!/usr/sbin/nft -f
#
# Can't block DHCP like a normal service beacuse it use raw sockets and bypasses nftables filter chains. Instead use and ingress chain.
#
flush table netdev filter
table netdev filter {
# Earliest filtering chain
chain ingress {
type filter hook ingress device wan0 priority -500;
ip frag-off & 0x1fff != 0 counter drop comment "IP fragments"
ip daddr 192.168.1.0/24 counter drop comment "Block BGW320-505 temporary 192.168.1.64 DHCP IP, wait for passthrough IP"
ip saddr 192.168.1.254 counter accept comment "UVerse BGW320-505 Modem for gateway monitoring + config"
ip saddr { \
0.0.0.0/8, \
10.0.0.0/8, \
100.64.0.0/10, \
127.0.0.0/8, \
169.254.0.0/16, \
172.16.0.0/12, \
192.0.0.0/24, \
192.0.2.0/24, \
192.168.0.0/16, \
198.18.0.0/15, \
198.51.100.0/24, \
203.0.113.0/24, \
224.0.0.0/3 \
} counter drop comment "IP Bogons"
tcp flags & (fin|psh|urg) == fin|psh|urg counter drop comment "TCP XMAS"
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop comment "TCP NULL"
tcp flags syn tcp option maxseg size 1-535 counter drop comment "TCP MSS"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment