# 🔨Dropping Packets Using IP Routing | A Practical Guide⚙️

In the world of network management, packet filtration is often achieved through firewalls like `nftables` or `iptables`. However, another lesser-known but efficient method is to leverage IP routing policies. This approach is particularly effective for **layer 3 traffic filtering** and provides a scalable solution when combined with routing protocols such as BGP.

This article explores how to use IP routing to drop packets, its advantages, and essential considerations like the **Reverse Path Filtering** (RPF) parameter.

---

### How IP Routing Can Drop Packets

Routing is fundamentally about deciding where packets should go. However, it can also decide where packets should **not** go. By using special routes like `blackhole`, `prohibit`, or `unreachable`, you can instruct the kernel to drop packets destined for specific addresses or subnets.

#### Example: Dropping Traffic to a Target Address

To silently drop all traffic directed to `8.8.8.8`:

```plaintext
# ip route add blackhole 8.8.8.8
```

Explanation:

* `blackhole`: A route type that silently drops packets without sending any response.
    
* **Target**: The IP address (`8.8.8.8`) or subnet you want to block.
    

This method is lightweight, requiring no state tracking or packet inspection, making it an efficient solution for scenarios like DDoS mitigation.

---

### Enhancing Scalability with Routing Protocols

One of the standout advantages of using routing for packet filtration is its **scalability**. When combined with a dynamic routing protocol like BGP, you can propagate filtering rules across multiple devices in a network.

#### Example: Using BGP to Distribute Blackhole Routes

* Configure a BGP session to distribute a route for `8.8.8.8` as a blackhole.
    
* All participating routers will drop packets destined for `8.8.8.8` without requiring additional configuration on each device.
    

This approach is particularly useful in ISP or enterprise environments where centralized management of filtering rules is essential.

---

### The Role of Reverse Path Filtering (RPF)

When implementing routing-based filtration, it's important to consider the **Reverse Path Filtering** mechanism, controlled by the `rp_filter` kernel parameter.

#### What is RPF?

Reverse Path Filtering checks whether a packet's source IP address is reachable via the same interface it arrived on. If not, the packet is dropped. This helps prevent **spoofing attacks** and enforces symmetric routing.

#### Configuring RPF

To view or modify the RPF parameter:

```plaintext
# sysctl net.ipv4.conf.all.rp_filter
```

Possible values:

* `0`: Disabled. No source validation is performed.
    
* `1`: Strict mode. The source address must match the routing table for the incoming interface.
    
* `2`: Loose mode. The source address must exist in the routing table but does not need to match the specific interface.
    

#### Example: Enforcing RPF Globally

To enable strict RPF across all interfaces:

```plaintext
# sysctl -w net.ipv4.conf.all.rp_filter=1
```

For interface-specific configuration:

```plaintext
# sysctl -w net.ipv4.conf.eth0.rp_filter=1
```

**Note**: Be cautious when enabling RPF in environments with asymmetric routing, as it may unintentionally drop valid packets.

---

### Advanced Use Cases

#### 1\. Dropping Packets to Entire Subnets

To block traffic to a subnet like `192.168.1.0/24`:

```plaintext
# ip route add blackhole 192.168.1.0/24
```

#### 2\. Using `prohibit` for Active Denial

If you want to actively reject packets and notify the sender, use the `prohibit` route:

```plaintext
# ip route add prohibit 222.0.111.0/24
```

The sender will receive an ICMP message indicating that the communication is administratively prohibited.

#### 3\. Combining with Routing Tables

For more complex setups, use separate routing tables to define filtration rules:

```plaintext
# echo "200 custom_table" >> /etc/iproute2/rt_tables
# ip rule add from 192.0.2.0/24 table custom_table
# ip route add blackhole 198.51.100.0/24 table custom_table
```

This setup allows granular control over which traffic is filtered.

---

### Advantages of Routing-Based Filtration

1. **Performance**: Stateless and efficient, ideal for high-throughput environments.
    
2. **Simplicity**: Easy to configure with minimal system overhead.
    
3. **Scalability**: Works seamlessly with dynamic routing protocols like BGP.
    
4. **Flexibility**: Supports a variety of actions, including blackhole, prohibit, and unreachable.
    

---

### Limitations

* **Layer 3 Only**: Works only on IP addresses and cannot inspect higher-layer protocols or payloads.
    
* **No Connection Tracking**: Cannot track or manage stateful connections.
    
* **Interface Dependency**: Requires careful consideration of interface-specific configurations, especially with RPF.
    

---

### Wrap

Using IP routing for packet filtration offers a lightweight and scalable alternative to traditional firewalls. Whether you're blocking unwanted traffic, mitigating DDoS attacks, or enforcing routing policies, routing-based filtration is a powerful tool in a network administrator's arsenal.

By combining this approach with features like Reverse Path Filtering and dynamic routing protocols, you can achieve efficient, high-performance traffic management across large networks.

---
