System: Calculating Subnets
Subnet and Network masks (Netmasks) are used for all sorts of tasks from firewalls to networking. It can be a time-consuming process to work out the appropriate netmask and subnet mask for different IP addresses. The form below makes it simple.
Netmask and Subnet Calculator
Enter two valid (and different) IPv4 addresses in the form below. It will calculate the most specific netmask and subnet mask that cover both addresses. If you have a range of IP address that appear to be from the same subnet, enter the lowest and highest for best results:
You can now paste an ip range ("A.B.C.D - E.F.G.H") into either field and it will be separated into a start and end address. Thanks to Andrew for the suggestion.
The calculated subnet mask will appear in the section below.
Netmask and subnet mask
The table below displays the two IP addresses you entered in binary format so you can see how they compare:
|1st address||01010110 00111011 01110110 10010000 (18.104.22.168)|
|2nd address||01010110 00111011 01110110 10011111 (22.214.171.124)|
|Subnet mask||126.96.36.199/28 (16 addresses)|
The netmask indicates the number of bits that they have in common starting from the high (left) end.
The subnet mask defines the smallest subnet that contains both addresses. It's used mostly in network administration or when specifying ip address ranges to block using iptables (firewall).
Using a subnet in Fail2Ban
Supposing you've identified a range of IP addresses that you want to block from accessing HTTP/HTTPS ports, the iptables syntax is as follows:
/sbin/iptables -I INPUT -s XX.229.168.64/27 -p tcp --match multiport --dports http,https -j DROP
This will add a rule at the top of your INPUT chain to DROP any traffic to the web server coming from the designated subnet.
Using a netmask in hosts.allow or hosts.deny
For programs such as SSH that are compiled with tcp_wrappers you can block or allow a range of IP addresses using the netmask:
This will block the same range as the Fail2Ban example above. Note that this does not (normally) apply to Apache, and may be deprecated in some systems.