Filter customers’ networks so that they can only send traffic to you which fits within their network blocks.  For example, if you have assigned a customer a network block of with netmask, the following Cisco ACL would keep them from sending source-spoofed packets, as well as log attempts through your network, when applied to the customer’s incoming interface:
access-list 101 permit ip any
access-list 101 deny ip any any log
interface Serial1    ! Or the customer’s incoming interface
  ip access-group 101 in

(Adjust ‘101’ to your access-list numbering scheme)
Protect your network from receiving packets from external connections with source addresses that should come from internal machines.  For instance, if you have been assigned the network block of with netmask from your upstream, use the following Cisco ACL:
access-list 199 deny ip any
access-list 199 permit ip any any
interface Serial0    ! Our internet gateway’s interface to the Internet
  ip access-group 199 in

Protect others by ensuring packets you send out into external networks are only those from your addresses.  For instance, following the second example above, we would ensure that only packets with source addresses of 192.168.1.x could exit our network:
access-list 198 permit ip any
access-list 198 deny ip any any
interface Serial0   ! Our internet gateway’s interface to the Internet
  ip access-group 198 out