How do I drop or block attackers IP with null routes?

How do I drop or block attackers IP with null routes?

In this tutorial I will show you, how to block attackers IP in Linux, so how do I drop or block attackers IP with null routes?

Someone might attack your Linux based system. You can drop attacker IP using IPtables. However, you can use the route or ip command to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.

You can null route (like some time ISP do prevent your network device from sending any data to a remote system) stopping various attacks coming from a single IP (read as spammers or hackers IP) using the following syntax on a Linux based system.

Nullroute IP using route command

Suppose that bad IP is 65.21.34.4, type the following command at shell:
# route add 65.21.34.4 gw 127.0.0.1 lo
You can verify it with the following command:
# netstat -nr
OR
# route -n
You can also use reject target (a hat tip to Gabriele):
# route add -host IP-ADDRESS reject
# route add -host 64.1.2.3 reject

To confirm the null routing status, use the ip command as follows:
# ip route get 64.1.2.3
Output:

RTNETLINK answers: Network is unreachable

To drop entire subnet 192.67.16.0/24, type:
# route add -net 192.67.16.0/24 gw 127.0.0.1 lo

Null routing using ip command

While traversing the RPDB, any route lookup which matches a rule with the blackhole rule type will cause the packet to be dropped. No ICMP will be sent and no packet will be forwarded. The syntax is follows for the ip command:
# ip route add blackhole 202.54.5.2/29
# ip route add blackhole from 202.54.1.2
# ip rule add blackhole to 10.18.16.1/29
# ip route

How do I remove null routing? How do I remove blocked IP address?

Simple use the route delete command as follows:
# route delete 65.21.34.4
OR
# route del -host 65.21.34.4 reject
Or use NA command to delete route:
# ip route delete 1.2.3.4/26 dev eth0

This is cool, as you do not have to play with iptables rules as described here.

Was this Tutorial helpful? Help others share on Facebook, Twitter, and Google Plus!

 
Enjoyed this video?
How do I drop or block attackers IP with null routes?
"No Thanks. Please Close This Box!"