Linux – Blackhole route private intranet traffic

blackholeiproute2linuxrouting

I have a private network with a handful of Linux routers all route sharing via OSPF. How do I blackhole private network ranges that I don't have routes for?

In other words, I want to be sure I NEVER route 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/24 out to the default gateway. I can't just create static sink (blackhole) routes for these networks as a network within one of the private ranges may get advertised via OSPF.

I could use netfilter to just DROP all traffic going out the default GW connected interface if its in a private range, but I figured iproute2/linux might have had a simpler or more 'correct' solution.

Best Answer

ip route add blackhole 10.0.0.0/8
ip route add blackhole 172.16.0.0/12
ip route add blackhole 192.168.0.0/16

Since more specific routes always take precedence, any ranges advertised via OSPF will take precedence over the blackhole routes.

Cisco:

router>sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     xx.0.0.0/32 is subnetted, 2 subnets
C       xx.xx.xx.192 is directly connected, Dialer0
C       xx.xx.xx.1 is directly connected, Dialer0
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.10.0.0/30 is directly connected, Tunnel1
S       10.0.0.0/8 is directly connected, Null0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 is directly connected, Dialer0
S    172.16.0.0/12 is directly connected, Null0
S    192.168.0.0/16 is directly connected, Null0

On Linux:

michael:~$ sudo ip route add blackhole 192.168.0.0/16 
michael:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_req=1 ttl=64 time=0.238 ms
64 bytes from 192.168.0.1: icmp_req=2 ttl=64 time=0.180 ms
<...>
michael@challenger:~$ ping 192.168.1.1
connect: Network is unreachable
Related Topic