I recently came across this very suggestion on serverfault which starts with blocking spoofed packets. I’m addressing on the first block of rules here.
It is a simple iptables ruleset which blocks most of the common rfc1918 addresses. You have probably heard of these, the 10/8, 192.168/16 and 172.16/12 address ranges. What might be new to you, is that there is a whole great many more ranges which one should never observe on the internet.
You might add to your list:
- TEST-NET(192.0.2.0/24) from rfc3330
- benchmarktest(198.18.0/25) from rfc2544
- protocol assignment(192.0.0.0/24)
- testnet2(198.51.100/24) and testnet3(203.0.113/24) from rfc5736 and 5737
- carrier grade nat(100.64/10) from rfc6598
Blocking addresses of these ranges is completely valid. IANA has not and will not assign them for use on the internet. They are reserved and non internet route-able.