skip to content

System: Calculating Subnets

Subnet and Network masks (Netmasks) are used for all sorts of tasks from firewalls to networking. It can be a time-consuming process to work out the appropriate netmask and subnet mask for different IP addresses. The form below makes it simple.

Netmask and Subnet Calculator

Enter two valid (and different) IPv4 addresses in the form below. It will calculate the most specific netmask and subnet mask that cover both addresses. If you have a range of IP address that appear to be from the same subnet, enter the lowest and highest for best results:

e.g. e.g.

You can now paste an ip range ("A.B.C.D - E.F.G.H") into either field and it will be separated into a start and end address. Thanks to Andrew for the suggestion.

The calculated subnet mask will appear in the section below.

Netmask and subnet mask

The table below displays the two IP addresses you entered in binary format so you can see how they compare:

1st address 01010110 00111011 01110110 10010000 (
2nd address 01010110 00111011 01110110 10011111 (
Subnet mask (16 addresses)

The netmask indicates the number of bits that they have in common starting from the high (left) end.

The subnet mask defines the smallest subnet that contains both addresses. It's used mostly in network administration or when specifying ip address ranges to block using iptables (firewall).

Using a subnet in Fail2Ban

Supposing you've identified a range of IP addresses that you want to block from accessing HTTP/HTTPS ports, the iptables syntax is as follows:

/sbin/iptables -I INPUT -s XX.229.168.64/27 -p tcp --match multiport --dports http,https -j DROP

This will add a rule at the top of your INPUT chain to DROP any traffic to the web server coming from the designated subnet.

Using a netmask in hosts.allow or hosts.deny

For programs such as SSH that are compiled with tcp_wrappers you can block or allow a range of IP addresses using the netmask:

sshd: XX.229.168.64/

This will block the same range as the Fail2Ban example above. Note that this does not (normally) apply to Apache, and may be deprecated in some systems.


< System

User Comments

Post your comment or question

22 April, 2024

Hi, thanks for the amazing tool.
I am writing one project where I need to find common subnet on giving two IPs.
This tool helped me a lot.
Can you please share the code for calculating
subnets that will calculate the most specific netmask and subnet mask that cover both addresses?

3 January, 2016

Thanks for this tool, incredibly useful but its been difficult to find one which can accept two IP's and work out the subnet mask (for iptables for example).

2 September, 2014

Nice tool. Thanks for writing it. It would be nicer if I could just plop in something like: -
instead of having to edit it and place it squarely in the provided boxes. That's the output returned by whois.

Thank you

The form supports that now