🔨Dropping Packets Using IP Routing | A Practical Guide⚙️

Ronald BartelsRonald Bartels
4 min read

In the world of network management, packet filtration is often achieved through firewalls like nftables or iptables. However, another lesser-known but efficient method is to leverage IP routing policies. This approach is particularly effective for layer 3 traffic filtering and provides a scalable solution when combined with routing protocols such as BGP.

This article explores how to use IP routing to drop packets, its advantages, and essential considerations like the Reverse Path Filtering (RPF) parameter.

How IP Routing Can Drop Packets

Routing is fundamentally about deciding where packets should go. However, it can also decide where packets should not go. By using special routes like blackhole, prohibit, or unreachable, you can instruct the kernel to drop packets destined for specific addresses or subnets.

Example: Dropping Traffic to a Target Address

To silently drop all traffic directed to 8.8.8.8:

# ip route add blackhole 8.8.8.8

Explanation:

  • blackhole: A route type that silently drops packets without sending any response.

  • Target: The IP address (8.8.8.8) or subnet you want to block.

This method is lightweight, requiring no state tracking or packet inspection, making it an efficient solution for scenarios like DDoS mitigation.

Enhancing Scalability with Routing Protocols

One of the standout advantages of using routing for packet filtration is its scalability. When combined with a dynamic routing protocol like BGP, you can propagate filtering rules across multiple devices in a network.

Example: Using BGP to Distribute Blackhole Routes

  • Configure a BGP session to distribute a route for 8.8.8.8 as a blackhole.

  • All participating routers will drop packets destined for 8.8.8.8 without requiring additional configuration on each device.

This approach is particularly useful in ISP or enterprise environments where centralized management of filtering rules is essential.

The Role of Reverse Path Filtering (RPF)

When implementing routing-based filtration, it's important to consider the Reverse Path Filtering mechanism, controlled by the rp_filter kernel parameter.

What is RPF?

Reverse Path Filtering checks whether a packet's source IP address is reachable via the same interface it arrived on. If not, the packet is dropped. This helps prevent spoofing attacks and enforces symmetric routing.

Configuring RPF

To view or modify the RPF parameter:

# sysctl net.ipv4.conf.all.rp_filter

Possible values:

  • 0: Disabled. No source validation is performed.

  • 1: Strict mode. The source address must match the routing table for the incoming interface.

  • 2: Loose mode. The source address must exist in the routing table but does not need to match the specific interface.

Example: Enforcing RPF Globally

To enable strict RPF across all interfaces:

# sysctl -w net.ipv4.conf.all.rp_filter=1

For interface-specific configuration:

# sysctl -w net.ipv4.conf.eth0.rp_filter=1

Note: Be cautious when enabling RPF in environments with asymmetric routing, as it may unintentionally drop valid packets.

Advanced Use Cases

1. Dropping Packets to Entire Subnets

To block traffic to a subnet like 192.168.1.0/24:

# ip route add blackhole 192.168.1.0/24

2. Using prohibit for Active Denial

If you want to actively reject packets and notify the sender, use the prohibit route:

# ip route add prohibit 222.0.111.0/24

The sender will receive an ICMP message indicating that the communication is administratively prohibited.

3. Combining with Routing Tables

For more complex setups, use separate routing tables to define filtration rules:

# echo "200 custom_table" >> /etc/iproute2/rt_tables
# ip rule add from 192.0.2.0/24 table custom_table
# ip route add blackhole 198.51.100.0/24 table custom_table

This setup allows granular control over which traffic is filtered.

Advantages of Routing-Based Filtration

  1. Performance: Stateless and efficient, ideal for high-throughput environments.

  2. Simplicity: Easy to configure with minimal system overhead.

  3. Scalability: Works seamlessly with dynamic routing protocols like BGP.

  4. Flexibility: Supports a variety of actions, including blackhole, prohibit, and unreachable.

Limitations

  • Layer 3 Only: Works only on IP addresses and cannot inspect higher-layer protocols or payloads.

  • No Connection Tracking: Cannot track or manage stateful connections.

  • Interface Dependency: Requires careful consideration of interface-specific configurations, especially with RPF.

Wrap

Using IP routing for packet filtration offers a lightweight and scalable alternative to traditional firewalls. Whether you're blocking unwanted traffic, mitigating DDoS attacks, or enforcing routing policies, routing-based filtration is a powerful tool in a network administrator's arsenal.

By combining this approach with features like Reverse Path Filtering and dynamic routing protocols, you can achieve efficient, high-performance traffic management across large networks.

5
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Dropping packetsLinuxIP Routing

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa