Blocking Unwanted Internet Traffic 101

I recently came across this very suggestion on serverfault which starts with blocking spoofed packets. I’m addressing on the first block of rules here.

http://serverfault.com/a/410618/79028

It is a simple iptables ruleset which blocks most of the common rfc1918 addresses. You have probably heard of these, the 10/8, 192.168/16 and 172.16/12 address ranges. What might be new to you, is that there is a whole great many more ranges which one should never observe on the internet.

You might add to your list:

  • TEST-NET(192.0.2.0/24) from rfc3330
  • benchmarktest(198.18.0/25) from rfc2544
  • protocol assignment(192.0.0.0/24)
  • testnet2(198.51.100/24) and testnet3(203.0.113/24) from rfc5736 and 5737
  • carrier grade nat(100.64/10) from rfc6598

Blocking addresses of these ranges is completely valid. IANA has not and will not assign them for use on the internet. They are reserved and non internet route-able.