Blackhole route private intranet traffic
I have a private network with a handful of Linux routers all route sharing via OSPF. How do I blackhole private network ranges that I don't have routes for?
In other words, I want to be sure I NEVER route 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/24 out to the default gateway. I can't just create static sink (blackhole) routes for these networks as a network within one of the private ranges may get advertised via OSPF.
I could use netfilter to just DROP all traffic going out the default GW connected interface if its in a private range, but I figured iproute2/linux might have had a simpler or more 'correct' solution.
ip route add blackhole 10.0.0.0/8
ip route add blackhole 172.16.0.0/12
ip route add blackhole 192.168.0.0/16
Since more specific routes always take precedence, any ranges advertised via OSPF will take precedence over the blackhole routes.
Cisco:
router>sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
xx.0.0.0/32 is subnetted, 2 subnets
C xx.xx.xx.192 is directly connected, Dialer0
C xx.xx.xx.1 is directly connected, Dialer0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.0.0/30 is directly connected, Tunnel1
S 10.0.0.0/8 is directly connected, Null0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Dialer0
S 172.16.0.0/12 is directly connected, Null0
S 192.168.0.0/16 is directly connected, Null0
On Linux:
michael:~$ sudo ip route add blackhole 192.168.0.0/16
michael:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_req=1 ttl=64 time=0.238 ms
64 bytes from 192.168.0.1: icmp_req=2 ttl=64 time=0.180 ms
<...>
michael@challenger:~$ ping 192.168.1.1
connect: Network is unreachable
As long as you are thinking along these lines, you should know about the BOGON list. http://www.team-cymru.org/Services/Bogons/
And I would probably just use the netfilter/DROP like you suggested. The safest thing to do it keep the BOGON config at the external interface or firewall, so it is only in one place and doesn't break internal changes. If you have a firewall machine or an external router THAT is where I'd put the blocks. At the last possible step.