Internet servers are not supposed to route private IP ranges such as 192.168.x.x.
How do they achieve this? Should an administrator enable a specific firewall rule on the router or is it coded in the hardware/firmware/kernel of the router?
Answer
Most ISPs will have hardcoded ACLs to prevent routing of private traffic. In the event they do not, the lack of a locatable return address will prevent these packets from going anywhere regardless. BGP (Border Gateway Protocol), the core routing protocol of the internet, only advertises public routes.
It is common to find an ACL similar to the following on internet-facing Cisco routers:
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.0.255.255 any
This will block private addresses, including APIPA and loopback addresses from traversing a router interface after applied via an access-group.
The firmware on some SOHO routers has this functionality built-in.
No comments:
Post a Comment