[Techtalk] when to blackhole routes?
docnielsen at gmail.com
Tue Apr 17 00:31:52 UTC 2007
A blackhole is the el-cheapo way of firewalling.
It doesn't prevent packets from getting in, it just prevents you from
sending packets to the host. And if you are behind a router with a
blackhole line in the routing table, it prevents users behind the
router as well.
I would never use a null-route, and i see no real use for it. IMO it
doesn't make sense now that iptables exists. If you however are on a
(cisco or other) hardware router, a null-route may be your only option
of firewalling, to keep someone in or out, and then using it there
would make perfect sense. But using a hardware firewall might be a
All internet routers (should) have a default blackhole policy
regarding RFC1918 adresses, so there should be no way your packets
from your local lan would ever get beyond first hop.
If you wish to be sure, three simple drop lines in your iptables
output chain should solve this completely.
iptables -A OUTPUT -o ethX -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -o ethX -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -o ethX -d 10.0.0.0/8 -j DROP
Where ethX is the interface to the outside (untrusted) network/internet.
On 4/17/07, Carla Schroder <carla at bratgrrl.com> wrote:
> Under what circumstances does it make sense to blackhole routes? An obvious
> example is blocking spammers or other pests, like out-of-control web spiders.
> What about blocking RFC 1918 addresses entering or leaving your network with
> routing commands instead of iptables rules?
> What else?
> Carla Schroder
> Linux geek and random computer tamer
> check out my Linux Cookbook!
> best book for sysadmins and power users
> Techtalk mailing list
> Techtalk at linuxchix.org
No trees were killed in the sending of this message.
However, a large number of electrons were terribly inconvenienced
More information about the Techtalk