IP addresses that should be prohibited to prevent ip spoofing
deny 0.0.0.0 0.255.255.255 log
deny ip 0.0.0.0 0.255.255.255 any log
(cannot be used for IPv4 addressing assignment)
2. 10.0.0.0/8
deny 10.0.0.0 0.255.255.255 log
deny ip 10.0.0.0 0.255.255.255 any log
(Class A private range)
3. 127.0.0.0/8
deny 127.0.0.0 0.255.255.255 log
deny ip 127.0.0.0 0.255.255.255 any log
(loopback range for diagnostic purposes)
4. 172.16.0.0/12
deny 172.16.0.0 0.15.255.255 log
deny ip 172.16.0.0 0.15.255.255 any log
(Class B private range)
5. 192.168.0.0/16
deny 192.168.0.0 0.0.255.255 log
deny ip 192.168.0.0 0.0.255.255 any log
(Class C private range)
6. 224.0.0.0/4
deny 224.0.0.0 15.255.255.255 log
deny ip 224.0.0.0 15.255.255.255 any log
(multicast range)
7. 240.0.0.0/4
deny 240.0.0.0 15.255.255.255 log
deny ip 240.0.0.0 15.255.255.255 any log
(Class E range)
8. 169.254.0.0/16
deny 169.254.0.0 0.0.255.255 log
deny ip 169.254.0.0 0.0.255.255 any log
(Link-local address range, this ip address range will only be used when there’s no ip assigned to the
host)
9. 255.255.255.255/32
deny host 255.255.255.255 log
deny ip host 255.255.255.255 any log
(broadcast address which you might want to block to prevent ip spoofing using broadcast address)
There’s an implicit deny for all ACL so if you want to allow traffic that’s initiated by user within the inside network to be returned, you have to place this statement at the end of your extended ACL, standard ACL has no keyword – Established.
Extended ACL at the end of the entry:
permit ip any any established
Apply the ACL to the outside interface of your router as INBOUND.
Private range, RFC1918:
http://tools.ietf.org/html/rfc1918
cyruslab 