The following list is what I'm thinking of using for blocking traffic
between an edge router acting as a firewall and an ISP/upstream. This
table is limited to address blocks only; TCP/UDP port filtering, and IP
protocol filtering, is a separate discussion. This is for an
implementation of BCP-38 recommendations.
I'm trying to decide whether the firewall should just blackhole these
addresses in the routing table, or use rules in NFTABLES against source
and destination addresses, or some combination. If NFTABLES, the best
place to put the blocks (inbound and outbound) would be in the FORWARD
chain, both inbound and outbound. (N.B. for endpoint boxes, they go
into the OUTPUT chain.)
In trying to research what would constitute "best practice", the papers
I found were outdated, potentially incomplete (particularly with
reference to IPv6), or geared toward other applications. This table
currently does not have exceptions -- some may need to be added as a
specific "allow" route or list.
The Linux rp_filter knob is effective for endpoint servers and
workstations, and I turn it on religiously (easy because it's the
default). For a firewall router without blackhole routes, it's less
effective because, for incoming packets, a source address matching one
of your inside netblocks will pass. A subset of the list would be
useful in endpoint boxes to relieve pressure on the upstream edge router
-- particularly if a ne'er-do-well successfully hijacks the endpoint box
to participate in a DDoS flood.
IPv4
Address block Scope Description
0.0.0.0/8 Software Current network (only valid as
source address).
10.0.0.0/8 Private network Used for local communications
within a private network.
100.64.0.0/10 Private network Shared address space[3] for
communications between a service
provider and its subscribers
when using a carrier-grade NAT.
127.0.0.0/8 Host Used for loopback addresses to
the local host.
169.254.0.0/16 Subnet Used for link-local addresses
between two hosts on a single
link when no IP address is
otherwise specified, such as
would have normally been
retrieved from a DHCP server.
172.16.0.0/12 Private network Used for local communications
within a private network.
192.0.0.0/24 Private network IETF Protocol Assignments.
192.0.2.0/24 Documentation Assigned as TEST-NET-1,
documentation and examples.
192.88.99.0/24 Internet Reserved. Formerly used for
IPv6 to IPv4 relay
192.168.0.0/16 Private network Used for local communications
within a private network.
198.18.0.0/15 Private network Used for benchmark testing of
inter-network communications
between two separate subnets.
198.51.100.0/24 Documentation Assigned as TEST-NET-2,
documentation and examples.
203.0.113.0/24 Documentation Assigned as TEST-NET-3,
documentation and examples.
224.0.0.0/4 Internet In use for IP multicast.
240.0.0.0/4 Internet Reserved for future use.
255.255.255.255/32 Subnet Reserved for the "limited
broadcast" destination address.
IPv6
Address block Usage Purpose
::/0 Routing Default route.
::/128 Software Unspecified address.
::1/128 Host Loopback address to local host.
::ffff:0:0/96 Software IPv4 mapped addresses.
::ffff:0:0:0/96 Software IPv4 translated addresses.
64:ff9b::/96 Global Internet IPv4/IPv6 translation.
100::/64 Routing Discard prefix.
2001::/32 Global Internet Teredo tunneling.
2001:20::/28 Software ORCHIDv2.
2001:db8::/32 Documentation Addresses used in documentation
and example source code.
2002::/16 Global Internet The 6to4 addressing scheme
fc00::/7 Private network Unique local address.
fe80::/10 Link Link-local address.
ff00::/8 Global Internet Multicast address.
