LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-15-2011, 09:48 AM   #1
MathGuy
LQ Newbie
 
Registered: Aug 2011
Posts: 4

Rep: Reputation: Disabled
Slash Notation for IP Address Ranges


Hello,
I have a basic question regarding the slash notation for ip-address ranges:

How would the address range "128.0.0.0 to 128.0.0.50" be specified with slash notation?

Here's my guess:

128.0.0.0/27 (128.0.0.0 to 128.0.0.31, 32 ad.)
128.0.0.32/28 (128.0.0.32 to 128.0.0.47,16 ad.)
128.0.0.48/31 (128.0.0.48 to 128.0.0.49, 2 ad.)
128.0.0.50/32 (or simply 128.0.0.50, 1 ad.)

32 + 16 + 2 + 1 = 51 ad. total

Note: ad. means "address" or "addresses"

I do not know if my guess is correct or if there is an easier way to represent the given address range. I'm tring to specify address ranges for my iptables firewall. Thanks for any help.

MathGuy
 
Old 08-15-2011, 10:34 AM   #2
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 4,666

Rep: Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543
Actually you cannot specify 50 addresses using the slash notation, only 32 or 64.
http://www.akadia.com/services/ip_ro...subnet%20masks
 
1 members found this post helpful.
Old 08-15-2011, 10:39 AM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
@MathGuy:

Agree with the previous poster. I don't think that's going to work the way you are expecting. I recommend simply casting a wide net with 128.0.0.0/26. If the risk of including .50 - .63 is too great, then use a for loop in your filter script to explicitly drop those.

BTW, here's a couple (closely related) handy references I keep bookmarked:
 
1 members found this post helpful.
Old 08-15-2011, 11:19 AM   #4
tommylovell
Member
 
Registered: Nov 2005
Distribution: Fedora, Redhat
Posts: 372

Rep: Reputation: 101Reputation: 101
Quote:
Originally Posted by MathGuy View Post
Hello,
How would the address range "128.0.0.0 to 128.0.0.50" be specified with slash notation?
As allend already said, you can't specify an arbitrary address range. You can only specify a subnet.

anomie has offered good advice that I agree with, as well.

Slash notation is just a shorthand for specifying a subnet mask or a CIDR mask. It says how many contiguous '1' bits are in your mask (starting from the left, of course).
Code:
11111111 11111111 11111111 11100000   < this mask in binary 
  255   .  255   .  255   .  224      < is this mask in dotted decimal
/27                                   < is this mask in slash notation
I'm certain that you are familiar with this, because this
Quote:
Here's my guess:

128.0.0.0/27 (128.0.0.0 to 128.0.0.31, 32 ad.)
128.0.0.32/28 (128.0.0.32 to 128.0.0.47,16 ad.)
128.0.0.48/31 (128.0.0.48 to 128.0.0.49, 2 ad.)
128.0.0.50/32 (or simply 128.0.0.50, 1 ad.)
is absolutely correct.


As a piece of trivia, when people say subnet mask, they really are saying "network and subnet mask' As an example, the 128.0 network is class B. The first 16 bits of mask are the network mask; to the right of them, technically, are the subnet mask bits. I don't know where that info will ever come in handy except maybe in a geek bar bet.
 
1 members found this post helpful.
Old 08-15-2011, 01:13 PM   #5
MathGuy
LQ Newbie
 
Registered: Aug 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks guys. I'm looking over the info right now.
 
Old 08-15-2011, 03:43 PM   #6
baldy3105
Member
 
Registered: Jan 2003
Location: Cambridgeshire, UK
Distribution: Mint (Desktop), Debian (Server)
Posts: 878

Rep: Reputation: 184Reputation: 184
Quote:
Originally Posted by tommylovell View Post
As a piece of trivia, when people say subnet mask, they really are saying "network and subnet mask' As an example, the 128.0 network is class B. The first 16 bits of mask are the network mask; to the right of them, technically, are the subnet mask bits. I don't know where that info will ever come in handy except maybe in a geek bar bet.
Hmm, this WAS the case. When routers only supported CLASSFUL routing the ip address range was divided into classes A,B,C etc. Any addresses with an address where the initial 3 bits are 10 would be considered a Class B address and given a mask of 255.255.0.0. This is a CONVENTION not a physical limitation of the numbers. Nowadays with classless routing you can apply a "classB" mask i.e. 255.255.0.0 to any network. The subnet mask is basically a sliding boundary that as you have said splits the address into network and host portions.

The reason you can't mask 50 addresses is that with each step in the mask 128,192,224 or if you like /25,/26,/27 (they mean the same thing) you unmask a bit and make it part of the host numbering. In the same way that each place position in a decimal numbers is a power of ten (1 digit = 10^1=10, 2 digits = 10^2 = 100, 3 digits = 10^3 = 1000 etc) each extra binary digit you add to the host range is a power of two (1 bit = 2^1 = 2, 2 bits = 2^2 = 4, 3 bits = 2^3 = 8 etc)

So /30 = 30 network bits, therefore 2 host bits and 2^2 = 4 host addresses
/28 = 28 network bits, therefore 4 host bits and 2^4 = 16 host addresses
/27 = 32 host addresses
/26 = 64 host addresses

So you can have 32 or 64 but nothing in between, because you are working with powers of 2.
 
1 members found this post helpful.
Old 08-16-2011, 09:40 AM   #7
MathGuy
LQ Newbie
 
Registered: Aug 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
Hi guys,

I have taken some time to follow the links and to read each post in detail. Your responses definitely answer the question of whether or not it is possible to represent 50 contiguous ip addresses with a single CIDR block of the type <base ip>/<bitmask>(the answer is no), but I had something else in mind. After reading http://en.wikipedia.org/wiki/Variabl...subnet_masking, I realize that I was really trying to ask this question:

How can the following list of ip addresses be written as compactly as possible with CIDR blocks?

128.0.0.0
128.0.0.1
.
.
.
128.0.0.50

My goal is to avoid a lot of individual rules in my firewall. Rather than typing or generating the following 51 rules:

iptables -A INPUT -p tcp -s 128.0.0.0 DROP
iptables -A INPUT -p tcp -s 128.0.0.1 DROP
.
.
.
iptables -A INPUT -p tcp -s 128.0.0.50 DROP

I would prefer to type/generate only a few (5) rules:

iptables –A INPUT –p tcp –s 128.0.0.0/27 DROP
iptables –A INPUT –p tcp –s 128.0.0.32/28 DROP
iptables –A INPUT –p tcp –s 128.0.0.48/31 DROP
iptables –A INPUT –p tcp –s 128.0.0.50/32 DROP

or, even better to type/generate only a single rule:

iptables -A INPUT –p tcp -s 128.0.0.0/255.255.255.205

MathGuy

Last edited by MathGuy; 08-16-2011 at 09:56 AM.
 
Old 08-16-2011, 09:55 AM   #8
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 4,666

Rep: Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543Reputation: 1543
I think you want to use ' --src-range 128.0.0.0-128.0.0.50' rather than '-s'
 
2 members found this post helpful.
Old 08-16-2011, 01:13 PM   #9
MathGuy
LQ Newbie
 
Registered: Aug 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
@allend
thanks a ton! I searched the iptables-man pages for the string you provided and found exactly what I needed. For other newbies, here's one way to block a range of ip addresses, e.g. the range 128.0.0.0-128.0.0.50:

iptables -A INPUT -m iprange --src-range 128.0.0.0-128.0.0.50 -j DROP
 
Old 08-16-2011, 05:55 PM   #10
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Good call. I don't think I was aware of the iprange match extension. (Or if I was aware, it has vanished from memory. )

Although I'd point out that the CIDR netmask replies are still legit!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Help needed to compress ip address ranges WoodsyDotOrg Programming 15 09-21-2010 11:06 AM
manually determining ip address ranges kaplan71 Linux - Networking 6 09-08-2009 07:00 PM
Blocking IP Address ranges in dhcpd.conf pmcdaid Linux - Networking 4 06-09-2004 10:18 AM
network address ranges WeNdeL Linux - Networking 4 03-12-2003 11:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration