Skip to content

Instantly share code, notes, and snippets.

Last active February 4, 2023 09:21
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
ATT UVerse Disable Drop DHCP for temproary address on BGW320 and block Bogons/DDoS packets using nftables
#!/usr/sbin/nft -f
# Can't block DHCP like a normal service beacuse it use raw sockets and bypasses nftables filter chains. Instead use and ingress chain.
flush table netdev filter
table netdev filter {
# Earliest filtering chain
chain ingress {
type filter hook ingress device wan0 priority -500;
ip frag-off & 0x1fff != 0 counter drop comment "IP fragments"
ip daddr counter drop comment "Block BGW320-505 temporary DHCP IP, wait for passthrough IP"
ip saddr counter accept comment "UVerse BGW320-505 Modem for gateway monitoring + config"
ip saddr { \, \, \, \, \, \, \, \, \, \, \, \, \ \
} counter drop comment "IP Bogons"
tcp flags & (fin|psh|urg) == fin|psh|urg counter drop comment "TCP XMAS"
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop comment "TCP NULL"
tcp flags syn tcp option maxseg size 1-535 counter drop comment "TCP MSS"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment