Understanding CIDR notation for iptables
 

I live in university dorms on a campus and connect through the university network to the internet. My IP address is assigned by DHCP.

My personal web server is located at a remote location, and I use Putty SSH to connect to it frequently. What I'd really like is to make a rule in iptables that allows ssh connection attempts only from my computer; however, since my IP address changes often, I will just make a rule that allows attempts from any possible campus address. That at least limits potential bogus connection attempts to several thousand people instead of several billion.

Now, I am a bit confused about how to do this. From what I can tell, my IP address always begins with 137 or 138. I'd have to pay closer attention for a while to see which other numbers remain fixed in my address. So for now I have settled with the range 137.0.0.1 to 138.255.255.255. That probably covers a lot more than just my campus here, but it's okay for now.

I have used an entry such as:

which results in the following rule:

I'd like for the rule to read:

which would require an entry such as:

I believe that what I'm referring to is CIDR notation. Is that right?

So I have two questions: Would there be any difference in the performance of the latter rule over the former? What would be the correct CIDR notation for that IP range?

I'd even be willing to learn how to do it myself (heaven forbid) so that I can modify it by myself in the future, but I have found several online tutorials to be a bit vague.

i wouldn't use iptables myself, but tcpwrappers: http://closedsrc.org/_static/dn-arti...sts_allow.html

much simpler. you'd do well to properly utilize the other parts of ssh though... use a private key instead of a password to authentiate, then it doesn't matter who connects from wherever, if they don't haev your key, they'll never get in...

also as a note in your iptables code, it's the destination port that is 22, not the source port. and the correct CIDR would be /8: 12345678.xxxxxxxx.xxxxxxxx.xxxxxxxx

No, in fact there is no “correct CIDR” notation for the range you supplied (137.0.0.1-138.255.255.255). In CIDR notation, the number following the slash is the number of bits which belong to the “network part” of the address. If you say 137.0.0.0/8, you it means that the first 8 bits are set in the netmask (i.e., it is 255.0.0.0). So to determine the notation to describe a network with a given number of bits and a representative IP address, you just mask it (using a bitwise AND of the IP with the netmask).

For example, suppose I want to know the correct notation for the network of 137.123.123.123/8. Then I would do a bitwise and like so:
Suppose, on the other hand, that you are given a network such as 137.0.0.0/8 and want to figure out the corresponding range. Well you must keep the first 8 bits constant, and can vary the other 24 bits (all numbers like 10001001.xxxxxxxx.xxxxxxxx.xxxxxxxx). Effectively this means that you must keep the same first number, but can change the other three numbers (i.e., all numbers from 137.0.0.0 to 137.255.255.255). Well, this is too small a range for us. What about the next-largest network (one with the first 7 bits set)? Let’s talk about 137.0.0.0/7 (or more correctly 136.0.0.0/7). This means that the first 7 bits will stay constant and the other 25 bits are changable (all numbers like 1000100x.xxxxxxxx.xxxxxxxx.xxxxxxxx). This translates to IPs where the first number is 136 or 137 and the rest of the numbers vary. This is still not the correct range, but it is the correct size. If you want a network containing the range you specified, you’ll have to go one size bigger (to 6 bits). Now, you have any number like 100010xx.xxxxxxxx.xxxxxxxx.xxxxxxxx (and the CIDR notation is 136.0.0.0/6). Unfortunately, the range is now twice the size that you intended, but it does contain all of the desired range. So the range corresponding to 136.0.0.0/6 is 136.0.0.0-139.255.255.255.

As for performance, it is obviously easier for a computer to match a range in CIDR notation than an arbitrary range. However, when your CIDR notation range is unnecessarily twice as large, it is a trade off.

ipcalc can be your friend while you are learning subnetting and CIDR notation..

ok, how much to pretend i didn't misread it? really did think it was just 137.0.0.0 :)

I figured that’s what you were thinking.