2

How can I define null route on Windows Server 2008 R2 Standard?

I've tried

x.x.x.x is target ip which I'm trying to block
1.1.1.1 is non existing ip
192.168.1.1 is default gw 192.168.1.254 is non existing ip on same subnet

route add x.x.x.x mask 255.255.255.255 1.1.1.1
route add x.x.x.x mask 255.255.255.255 1.1.1.1 if 1
route add x.x.x.x mask 255.255.255.255 192.168.1.1
route add x.x.x.x mask 255.255.255.255 192.168.1.1 if 1
route add x.x.x.x mask 255.255.255.255 192.168.1.254
route add x.x.x.x mask 255.255.255.255 192.168.1.254 if 1

Nothing works. Ping is still working and other connections are still working.

newbie123_
  • 23
  • 1
  • 3
  • 1
    What do you get in response to `route print`? You can also try to set a low metric for this route. – MBu Sep 23 '13 at 12:37
  • I am curious as to why you want to do this? I see the benefit, but much like the poster below, a firewall is often a better solution (but certainly not the only one). – MikeAWood Sep 25 '13 at 06:27

4 Answers4

3

First remove all routes you added previously. Then do route print and in the first part of the output check the interface number of Software Loopback Interface (I guess that in your case it is not number 1)

Then add the following route:

route add x.x.x.x mask 255.255.255.255 g.g.g.g if L

Where:

  • x.x.x.x is the IP address you want to block
  • g.g.g.g is the IP address of your current default gateway
  • L is the interface number of Software Loopback Interface
MBu
  • 483
  • 1
  • 3
  • 9
  • 1
    To add, it should always be `if 1`. No need for the metric to be honest, and be sure and add `-p` to make it persistent across reboots. – TheCleaner Sep 23 '13 at 13:21
  • 1
    You are right. I removed `metric 1`, thanks. The Loopback should be number 1, but I heard rumblings that it is not always 1 and @newbie123_ states he tried a route with default gateway and `if 1`. Maybe he did not remove previously added routes. – MBu Sep 23 '13 at 13:29
1

route -p add 172.16.0.0 mask 255.255.0.0 0.0.0.0

The destination (0.0.0.0) is the "unconfigured" ip address or a route to no where. The result, the host will not be able to communicate with anything in the private address block 172.16.0.0/16. If you have another route that is more specific in that same address range, the more specific route takes precedence. For example, also having this route:

route -p add 172.16.20.0 mask 255.255.255.0 (gateway ip)

...would allow the host to communicate with any ip address in this range (172.16.20.0/24) but continue to block any other address in 172.16.0.0/16.

Poor man's firewall...

Thomas
  • 11
  • 1
-1

Why don't you use firewall. You can define an inbound or a outbound rule and block all connections from/to the address. You must open Advanced Firewall: Inbound connection New rule Custom All programs In protocols choose Any Put the address o network you want to block.

I think it's the best option in order blocking address

Carlos Alonso
  • 1
-1

I have used this way to block people trying to hack our database server i created an application that checks for IPs that have made so many database connections with wrong credentials and automatically add these IPs to the blocking route. I am not a network expert I'm a programmer basically but this did stop the hacker and he gave up. doing this manually was impossible as he was changing the IP he is using to try to hack the server. I was unable to do this with our firewall

Mohamed Eissa
  • 1