Useful Null Routes
By Phil on Monday, July 29 2013, 15:56 - Interwebs - Permalink
On every router, there are certain routes that are useful to install to prevent leakage of invalid traffic related to private address space.
These are the null-routes I install on all routers to prevent leakage.
- IANA Test Network (192.0.2.0/24)
- IANA Test Network 2 (198.51.100.0/24)
- IANA Test Network 3 (203.0.113.0/24)
- RFC-3927 Autoconfiguration Addresses (169.254.0.0/16)
- RFC-1918 Class C Private Addresses (192.168.0.0/16)
- RFC-1918 Class B Private Addresses (172.16.0.0/12)
- RFC-1918 Class A Private Addresses (10.0.0.0/8)
On Linux, you can route these via either the 'blackhole' or 'unreachable' psuedo next-hop routers. Using 'blackhole' will silently discard any packets destined for these address spaces (similar to iptables DROP target). The 'unreachable' option will send an ICMP host-unreachable packet back to the source host (like the iptables REJECT target).
It's also a goo idea to assign these routes a low metric to help prevent them conflicting with any future routes
ip route add unreachable 192.0.2.0/24 metric 999 ip route add blackhole 169.254.0.0/16 metric 999
RedHat-based systems can install these routes at boot time by adding them to /etc/sysconfig/network-scripts/route-eth0
unreachable 10.0.0.0/8 metric 999 unreachable 172.16.0.0/12 metric 999 unreachable 192.168.0.0/16 metric 999 unreachable 169.254.0.0/16 metric 999 unreachable 192.0.2.0/24 metric 999 unreachable 198.51.100.0/24 metric 999 unreachable 203.0.113.0/24 metric 999
UPDATE
Debian-based systems can install these routes at boot time by adding them to /etc/network/if-up.d/static-routes
ip route add unreachable 10.0.0.0/8 metric 999 ip route add unreachable 172.16.0.0/12 metric 999 ip route add unreachable 192.168.0.0/16 metric 999 ip route add unreachable 169.254.0.0/16 metric 999 ip route add unreachable 192.0.2.0/24 metric 999 ip route add unreachable 198.51.100.0/24 metric 999 ip route add unreachable 203.0.113.0/24 metric 999