# [SOLVED] 192.168.67.129/254 syntax and iptables-restore

## urcindalo

Hi! I want to allow any connection to the local box from IP addresses within the range 192.168.67.[129-254] in iptables (Gentoo AMD64):

```
[ebuild   R   ] net-firewall/iptables-1.3.5-r4  USE="extensions ipv6 -imq -l7filter -static" 0 kB
```

However, if I insert a line like this in my /etc/iptables.conf file:

```
-A INPUT -s 192.168.123.129/254 -j ACCEPT
```

it is rejected by iptables-restore:

```
user@localhost /etc $ sudo iptables-restore iptables.conf

iptables-restore v1.3.5: invalid mask `254' specified

Error occurred at line: 57

Try `iptables-restore -h' or 'iptables-restore --help' for more information.
```

Thus, I'm forced to include individually all the IPs I need within the range above.

Which is the correct syntax? I see everywhere the syntax I'm just using....   :Confused: 

Thanks in advance.Last edited by urcindalo on Sat Dec 16, 2006 8:56 am; edited 1 time in total

----------

## gimpel

that's because the thing after the / is the subnet mask, and /254 is no valid value for a subnet mask.

.128/25 would be .128 -.256 in the upper half of a 24bit subnet afaik.

maybe 

```
iptables -m iprange --dst-range IP-IP
```

works?

----------

## timeBandit

 *urcindalo wrote:*   

> Hi! I want to allow any connection to the local box from IP addresses within the range 192.168.67.[129-254].
> 
> Which is the correct syntax? I see everywhere the syntax I'm just using....  

 

The number following the stroke is the width in bits of the subnet mask. A dotted-quad address represents four octets (eight-bit bytes), so masking 254 of a possible 32 bits obviously won't work.

In your example, your subnet mask comprises the first three octets plus the high bit of the fourth: 25 bits. The range you tried to specify would be properly written as 192.168.67.128/25.

EDIT: oops, just noticed the second line of gimpel's post.   :Embarassed:  Ah well.

----------

## gimpel

yeah.. EDITed.. sorry  :Razz: 

----------

## urcindalo

Thanks you, guys  :Very Happy: 

I've changed it to 192.168.67.128/25 and iptables-save shows now:

```
-A INPUT -s 192.168.67.128/255.255.255.128 -j ACCEPT
```

Is this correct? Doesn't it do just the opposite of what I want? I mean, I interpret it as allowing any connection from *.*.*.128

Please excuse my utter ignorance regarding these issues   :Embarassed: 

----------

## heavydwitstyle

Hi,

the /25 mask is correct because its specifying that only clients with IP addresses in the .129 - 254 range of the last octet can connect.

- Heavy-D

----------

## Chris W

The thing to remember is that 192.168.67.128/25 is specifying a network.  Any machine with the same 25 most significant bits in its IP address as this mask has is in the network, others are not.

Spelt out in binary we have:

```
Your specifed network

1100 0000  1010 1000  0100 0011  1000 0000 = 192.168.67.128

1111 1111  1111 1111  1111 1111  1000 0000 = 25 bits of mask

bitwise AND

1100 0000  1010 1000  0100 0011  1000 0000 = network id

Another address:

1100 0000  1010 1000  0100 0011  1000 0110 = 192.168.67.134

1111 1111  1111 1111  1111 1111  1000 0000 = 25 bits of mask

bitwise AND

1100 0000  1010 1000  0100 0011  1000 0000 = same result as above therefore same network

Another address:

1100 0000  1010 1000  0100 0011  0111 0111 = 192.168.67.119

1111 1111  1111 1111  1111 1111  1000 0000 = 25 bits of mask

bitwise AND

1100 0000  1010 1000  0100 0011  0000 0000 = Different result therefore not same network

```

You should avoid using the all-zeroes and all-ones addresses within a subnet as they are use to ID the network and for subnet broadcast  respectively.  In this case that is the .128 and .255 addresses.

----------

## urcindalo

Thanks again for the explanations  :Smile: 

Now things are "clearer than water" to me, as the spanish saying goes  :Very Happy: 

 *Chris W wrote:*   

> 
> 
> ```
> Your specifed network
> 
> ...

 

This one is the kind of explanation I was waiting for. Thank you so much.

----------

