Someone might attack your Linux based system. You can drop attacker IP using IPtables. However, you can use the route or ip command to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.

You can null route (like some time ISP do prevent your network device from sending any data to a remote system) stopping various attacks coming from a single IP (read as spammers or hackers IP) using the following syntax on a Linux based system.

Nullroute IP using route command

Suppose that bad IP is, type the following command at shell:
# route add gw lo
You can verify it with the following command:
# netstat -nr
# route -n
You can also use reject target (a hat tip to Gabriele):
# route add -host IP-ADDRESS reject
# route add -host reject

To confirm the null routing status, use the ip command as follows:
# ip route get

RTNETLINK answers: Network is unreachable

To drop entire subnet, type:
# route add -net gw lo

Null routing using ip command

While traversing the RPDB, any route lookup which matches a rule with the blackhole rule type will cause the packet to be dropped. No ICMP will be sent and no packet will be forwarded. The syntax is follows for the ip command:
# ip route add blackhole
# ip route add blackhole from
# ip rule add blackhole to
# ip route

How do I remove null routing? How do I remove blocked IP address?

Simple use the route delete command as follows:
# route delete
# route del -host reject
Or use NA command to delete route:
# ip route delete dev eth0

This is cool, as you do not have to play with iptables rules as described here.

See also:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 41 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
41 comments… add one
  • timmy May 27, 2006 @ 13:57

    Heh, it’s kinda nice feature, since it works, and isn’t something you just think of… I guess most people would block it in a FW…


  • Rohit Basu Feb 22, 2008 @ 7:06

    Its a temporary solution…

    the parmanent one is th find all the ips which acts as an attacker and to use the rule for all.

    make a shell script for this.

    use netstat to find out max no. of connection by each ip short them out and apply the above rule for all of them.

  • Gabriele Callari Feb 23, 2008 @ 15:17

    Nice idea, perhaps something like

    route add reject

    will do the same more elegantly?

    • Ian May 3, 2010 @ 22:32

      the reject is not more elegant, it’s better to black hole them certainly for discouraging attackers as they have to wait for a timeout for a response

  • 🐧 nixCraft Feb 23, 2008 @ 15:55


    The post has been updated. Thanks for pointing out reject option.

  • Gabriele Callari Feb 27, 2008 @ 13:14

    Thanks to you for the great site, and please note that, as the man page for route says, “This is NOT for firewalling”.

  • James Mar 30, 2008 @ 1:27

    i tried this
    route add gw lo

    and it fails on XP with the message
    route: bad gateway address gw

    same error with this
    route add reject

    route: bad gateway address gw

    copied exactly as you have posted
    any ideas ?

  • 🐧 nixCraft Mar 30, 2008 @ 4:59


    These instructions only tested on Linux.

  • carlos Jun 5, 2008 @ 21:47

    please note that syntaxis is different for the route command from linux to windows, but using the right syntaxis surely it must work.

    I think that all we know that this kind of measures are when we are in a hurry, not a definitive solution.

    Even though they can be a lifesaver on occasions.

    thanks for your work.

  • carlos Jun 5, 2008 @ 21:50

    by the way …

    Does somebody know what is the difference between the use of reject and the use of …. blackhole?


  • 🐧 nixCraft Jun 5, 2008 @ 22:36

    reject – send “Network is unreachable” message back to client.

    blackhole – No message sent back to client

  • carlos Jun 5, 2008 @ 23:37

    thanks.. Vivek.
    this is important to me, because I have to decide between this two commands.

    ..say… What would be more adecuate to a hacker?

    receive a message saying “network is unreachable” or no message at all?

    maybe “network is unreachable”?

    or… no message…

    I am thinking. Any suggestion?

  • Kirrus Sep 13, 2008 @ 19:47

    Carlos: Blackhole is better.

  • SeBas Jan 23, 2009 @ 17:17

    I could not delete the rejected ip with the command given in the tutorial. I’m running Debian.
    # route delete
    SIOCDELRT: No such process

    But I was able to delete the rejected ip route with this command:
    # route del -host reject


  • Adam Mar 26, 2009 @ 18:11

    I liked the command used by SeBas to remove the block….

    It worked for me:
    route del -host reject

    got something to learn

  • zsentient Apr 1, 2009 @ 18:01

    So to make this persistent across reboots, what is the syntax for the /etc/sysconfig/network/routes file?

  • zsentient Apr 1, 2009 @ 18:51

    Thanks Vivek, not the answer I was looking for, but I am sure that would work:)

  • chika May 20, 2009 @ 21:42

    drop entire subnet
    # route add -net gw lo

    how to enable again?

  • Damien Jorgensen Aug 1, 2009 @ 20:08

    Its sad how easy it is to forget simple commands like this when you dont use them everyday

    Thanks for the blog, saved me a lot of hassle and now null routing works a treat


  • Haji Aug 28, 2009 @ 17:49

    I want to Block inetnum range IP like – via route add -net command. which command must we use?

  • Haji Aug 29, 2009 @ 10:35

    Please give me the iptables usage for that.

  • Jackie Oct 22, 2010 @ 9:23

    Awesome tutorial! But when you reboot routes are erased.

    • Benny Feb 10, 2011 @ 16:42

      Take a look at ifroute.

  • Mr.Hien Apr 2, 2011 @ 14:58

    Using routing policy database (RPDB) maybe work same!
    Try it:

    ip rule add blackhole to

  • Piet Apr 10, 2011 @ 7:30

    I use this entry in a script.
    route add -net netmask reject

    But how can I drop this entry without booting my machine?

    • J. Dorn Aug 31, 2014 @ 22:34

      to remove this nullroute without a reboot use

      route del -net netmask

  • R. Novakov Mar 26, 2012 @ 7:29

    You can use this to prevent network.

    route add -net netmask reject

  • Brad Sep 17, 2013 @ 23:35

    fail2ban is a solution worth looking into. If on a fedora based distro you will need epel repositories. Install with apt-get on debian or yum on fedora/CenOS etc.
    Works fine, lasts a long time.

  • Web Hosting in Pakistan Sep 21, 2013 @ 17:28

    i getting this error after deleting null rout IP: already routed

    [root@vpanel ~]# route delete xxx.xx.xx.xx
    SIOCDELRT: No such process
    [root@vpanel ~]#

  • Pushkar Jul 9, 2014 @ 11:01

    Please try below command.

    # route del xxx.xx.xx.xx reject

  • Dave Lamb Dec 22, 2014 @ 17:43

    Using a null route is all good if you know the source IP range, but it quickly becomes unmanageable for an internet facing server. A better and more automated solution is fail2ban. Then configure the /etc/jail.conf file for the service you are protecting. In my case I have it protecting an SSH server. After 3 failed login attempts it automatically configures iptables to deny any new connections from the source IP.

    It has lots of options like permanently banning a source address or just blocking it for a short time frame. Exceptions and logging can be configured as well. Blocking after 3 failed attempts is enough to thwart most attacks.

  • Kristian Kirilov Dec 23, 2014 @ 7:26

    Do you understand what the line actually do?
    route add gw lo

    When packet is received from it always get connected to the host (if you not doped the package with iptables) it is processed and when it have to send the answer to with the needed data the static route tell to forward this package to the loopback interface, so the package never come back to the (bad attacker host)

    Please correct me if i’m wrong.
    Thanks 😉

  • Rakesh Jan 22, 2016 @ 21:31

    @James windows command is
    route add -p <> mask <> 127.0.01

  • xeero 07 Feb 1, 2016 @ 18:56

    will this work if rp_filter is disabled?

  • LDR Feb 3, 2016 @ 14:02

    I don’t see the point of this, unless you don’t have iptables – a stretch. And the truth is, it is not significantly simpler than iptables, at what it does.

  • Seb Feb 3, 2016 @ 14:04

    Nice trick but…

    Not 100% sure but redirecting traffic to will redirect incoming packets to all programs listening on So for example incoming packets will reach mysql listening on Some programs are somewhat protected by listening only on and not on I would prefer the blackhole line over the redirect…

    Depending on firewall rules like iptables then you could have a real mess if you NAT all outgoing traffic.

    Last point this is also dependant on ip_forward = 1.

    I would prefer a good firewall configuration on top of blackhole if this is really needed.

    my two cents…

    Have fun!

  • cybernard Feb 4, 2016 @ 4:39

    Automatic dynamic blocking

    ipset create banned_hosts hash:net family inet hashsize 65536 maxelem 200000 counters comment

    iptables -A input_ext -m set -j DROP --match-set banned_hosts src
    iptables -A input_ext -p tcp -m tcp -m multiport -m state --state NEW -j ban_me ! --dports 25,80,443
    ipset save >/somewhere/ipset
    ipset restore </somewhere/ipset

  • Kristian Kirilov Mar 20, 2016 @ 11:12

    Nice tutorial, thanks!

  • Maxime May 18, 2016 @ 21:19

    the “ip route” command does not support “from” and “to” keywords. The following does not work:
    # ip route add blackhole from
    # ip rule add blackhole to

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum