this post was submitted on 03 Mar 2026
33 points (97.1% liked)

Linux

63444 readers
894 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago
MODERATORS
nooter692@lemmy.ml
AgreeableLandscape@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
33
The behavior of /24 vs /32 addresses when using iptables (programming.dev)
submitted 20 hours ago by emotional_soup_88@programming.dev to c/linux@lemmy.ml
16 comments fedilink hide all child comments
 

I added a rule to accept connections from 192.168.1.135/24, since my router is configured to hand out /24 addresses. Then, iptables -L -v showed that connections from 192.168.1.0/24 are accepted. When I change the rule to accept connections from .135/32 - or from .135 without specifying the subnet -, it not only works as intended, but it also resolves the hostname correctly.

Why?

unsolicited "why do you still use iptables" advice not welcome :D

top 16 comments
sorted by: hot top controversial new old
[–] PowerCrazy@lemmy.ml 6 points 7 hours ago* (last edited 7 hours ago)

You need to understand subnetting. Allowing 192.168.1.0/24 also allows 192.168.1.135/24 In fact 192.168.1.135/24 shouldn't be valid syntax at all, but it is easier to accept it and then let subnet math fix the mistake.

I assume your router is 192.168.1.135 for whatever reason, so as long as your router is contained in the configured iptables allowed network, it'll work with all of the following networks.

192.168.1.135/32
192.168.1.134/31
192.168.1.132/30
192.168.1.128/29
192.168.1.128/28
192.168.1.128/27
192.168.1.128/26
192.168.1.128/25
192.168.1.0/24
192.168.0.0/23
... And 22 even larger networks.

If you don't configure a subnet mask for the rule, iptables will accept the IP address you put in as a single host, the /32 is implied. The same behavior would be seen using any kind of network filter, though they may not allow you to specify 192.168.1.135/24, they may require a bit boundary, but mathematically, it's the same.

[–] kittykillinit@lemy.lol 6 points 9 hours ago (1 children)

Fuck this shit is so complicated.

[–] emotional_soup_88@programming.dev 4 points 8 hours ago

Don't worry and don't mind the downvote. It took me two years, this guy https://www.youtube.com/channel/UCJQJ4GjTiq5lmn8czf8oo0Q and this guy https://www.youtube.com/channel/UCKmU-GKiukM8LYjkJFb8oBQ got get an elementary grasp.

[–] hyacin@lemmy.ml 33 points 20 hours ago* (last edited 20 hours ago)

They're not "/24 addresses", it's a mask.

/32 references one specific host, it is a mask of all 1s.

/24 references 254 hosts, it is a mask of 75% 1s and 25% 0s.

https://www.geeksforgeeks.org/computer-networks/role-of-subnet-mask/

^ The illustrations here explain it way better than many words can.

[–] jrgd@lemmy.zip 13 points 20 hours ago* (last edited 19 hours ago) (2 children)

The routing and firewalling is a bit different in terms of why certain CIDR masks are used. For the router, the /24 suffix is usually defined for itself on the LAN interface to denote the address space it may send route information to, and what addresses are controlled by the device. Almost certainly, (unless using a lower CIDR range and actually handing out /24 blocks to subsequent routers,) you are granting /32 IPv4 addresses to your devices from your router.

For your system firewall, 192.168.1.135/24 is identical to 192.168.1.0/24 as they are the same address space. You're simply allowing from a subnet of hosts to accept from. Given the /24 mask is 255.255.255.0, it does not matter what the last number of the IPv4 address is, but the lowest possible number to match the mask is standard form. Without knowing what rule(s) specifically is being applied, I couldn't tell you if your firewall rules are something that would affect hostname resolution of other hosts from your system or not.

[–] emotional_soup_88@programming.dev 10 points 19 hours ago (1 children)

Just when you think you know something about networking, it turns out you don't know sh*t. XD

Thank you for your exquisite explanation and for immediately realizing what I had been misunderstanding!

[–] RIotingPacifist@lemmy.world 1 points 18 hours ago* (last edited 13 hours ago) (1 children)

I'm not sure how useful this is, but it helped me understand.

The subnet mast is the count of the bits from the front that matter.

This is useful for switches and network equipment that only have to look at that much if the packet and route it quickly.

So a 10.0.0.0/8 address the switch only looks at the first 8 binary digits (also called an octet) and routes it based on that.

This also works for non multiple of 8 masks, as it's an operation done on a binary level (it's a mask using a binary AND so only bits that are true and.the mask can be matter)

10.192.0.0/10

IP: 00001010.11000000.00000000.00000000

Mask: 11111111.11 000000.00000000.00000000

So 10.192.0.1 and 10.192.255.255 look the same with their mask on

1: 00001010.11 000000.00000000.00000001

255: 00001010.11 111111.11111111.11111111

Mask: 11111111.11 000000.00000000.00000000

Result for both is: 00001010.11 000000.00000000.00000000

[–] scott@lem.free.as 2 points 14 hours ago (1 children)

Your masks are backward.

Ones on the left, zeroes on the right.

The mask is binary AND'd with the IP, leaving the leftmost octets alone.

[–] RIotingPacifist@lemmy.world 1 points 13 hours ago

That makes a lot more sense thanks

[–] emotional_soup_88@programming.dev 4 points 18 hours ago (2 children)

If I may ask a follow up question, just out of curiosity, I did an ip a on my phone that is connected to the same router as the system whose firewal I was referring to in my original post and it gave me: inet 192.168.1.214/24 brd 192.168.1.255 scope global wlan0 Which to my untrained eye indicates that my phones WiFi interface has been alotted the .214 address in the /24 space/subnet.

But if I understand you correctly, this has to do with the above being routing related - how my phone reaches WAN -, while my original post was about firewalling. And when it comes to firewalling, you specify a host with a mask of /32?

[–] CosmicGiraffe@lemmy.world 3 points 17 hours ago (1 children)

You might want to use either a /24 address or a /32 address in a firewall rule, depending on what you're trying to do. The difference is that the /24 one refers to a set of IPs, while the /32 one applies to only one IP.

Say you're adding a firewall rule like iptables -A - s 192.168.1.123/32 - j ACCEPT. This will accept all traffic with the source IP 192.168.1.123. If instead you use iptables -A - s 192.168.1.123/24 - j ACCEPT, you'll accept all traffic with a source IP in the 192.168.1.123/24 subnet, which is all the IPs between 192.168.1.0 & 192.168.1.255.

In the case of your WiFi IP, the subnet does something different. It tells you which IP addresses you should expect to be able to contact directly, and which you need to contact via a router. 192.168.1.214/24 says that all the IPs between 192.168.1.0 & 192.168.1.255 can be reached directly, whereas IPs outside that range need to be sent to a router.

ip route will show you the routes a device knows about. It'll look something like this (simplifying a bit):

default via 192.168.1.1
192.168.1.0/24 dev wlan0 src 192.168.1.214

The first line is the default route, which is used when no more specific route exists. It says that you talk to these IPs by sending your traffic to 192.168.1.1 (your wifi router) and it'll send it on from there.

The second one says that for IPs in the 192.168.1.0/24, you directly talk to them using your wlan0 interface

[–] emotional_soup_88@programming.dev 1 points 17 hours ago (1 children)

Thank you very much! :)

Interesting why iptables behaves like that though. Because, if I understand it correctly, specifying any address between 192.168.1.[0...255]/24 will result in all addresses in that range to be accepted? So, the only way to actually single out one host is to use the mask /32...?

[–] CosmicGiraffe@lemmy.world 3 points 15 hours ago (1 children)

Yes, exactly. The convention is to use the lowest address in the range (e.g. 192.168.1.0/24), since you're allowing a range of addresses rather than a single one.

The reason to do this is that many firewall rules will be based on sets of addresses - you might want to allow traffic from any device in your local network without having to add individual rules for each

[–] emotional_soup_88@programming.dev 1 points 14 hours ago

Tomorrow, at work, I'm gonna brag about what I have learned here today, until my colleagues' ears fall off.

Thanks again! :)

[–] jrgd@lemmy.zip 3 points 18 hours ago* (last edited 18 hours ago) (1 children)

Iproute2 definitely does write things a bit compact. ip address show and shorthands state the routed local address space (192.168.1.x/24) and the actual /32 address (192.168.1.214) you are assigned as one unit. Additionally, it shows the broadcast address for the space. Ironically, ip route show may genuinely give you less confusing information, clearly splitting the actual route and showing your straight IPv4 address as src.

Typically in firewalling, you'd use /32 to target a singular IPv4 host. This is analogous to using /128 for IPv6 hosts. You can absolutely use /24, /16, /8, or any other mask really if you need to target a range of IP addresses for a rule to apply to. Technically, /32 is a range itself, just with a size of 1. There are CIDR calculators available to play around and see what different CIDR masks actually target.

[–] emotional_soup_88@programming.dev 2 points 18 hours ago

Sweet! Thanks for another clear explanation! Have good rest of your day! :)