In one of the previous posts i showed how to configure a home edge router with a minimal config. However, we did forget to add even basic security to the router.
Let’s try to harden the router by first blocking weird traffic coming from the internet. What do I mean by ”weird”? First, let’s block traffic coming from sources that should never send traffic from the internet. We call such sources ”martians”.
Let’s create an access list that will list all addresses that should never be on your WAN and block them.
Lines 10-70 are martians, line 80 is my public IP which belongs to me so this IP should never send me traffic from somewhere else out on the internet, line 90 permits traffic coming to my public IP, while line 100 blocks all other traffic.
ip access-list ext MARTIANS
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 127.0.0.0 0.255.255.255 any
30 deny ip 169.254.0.0 0.0.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.0.2.0 0.0.0.255 any
60 deny ip 192.168.0.0 0.0.255.255 any
70 deny ip 220.127.116.11 18.104.22.168 any
80 deny ip host 22.214.171.124 any
90 permit ip any host 126.96.36.199
100 deny ip any any
Finally, I apply the ACL on the wan interface with the commands:
ip access-group MARTIANS in