I added a rule to accept connections from 192.168.1.135/24, since my router is configured to hand out /24 addresses. Then, iptables -L -v showed that connections from 192.168.1.0/24 are accepted. When I change the rule to accept connections from .135/32 - or from .135 without specifying the subnet -, it not only works as intended, but it also resolves the hostname correctly.
Why?
unsolicited “why do you still use iptables” advice not welcome :D
You might want to use either a /24 address or a /32 address in a firewall rule, depending on what you’re trying to do. The difference is that the /24 one refers to a set of IPs, while the /32 one applies to only one IP.
Say you’re adding a firewall rule like
iptables -A - s 192.168.1.123/32 - j ACCEPT. This will accept all traffic with the source IP 192.168.1.123. If instead you useiptables -A - s 192.168.1.123/24 - j ACCEPT, you’ll accept all traffic with a source IP in the 192.168.1.123/24 subnet, which is all the IPs between 192.168.1.0 & 192.168.1.255.In the case of your WiFi IP, the subnet does something different. It tells you which IP addresses you should expect to be able to contact directly, and which you need to contact via a router. 192.168.1.214/24 says that all the IPs between 192.168.1.0 & 192.168.1.255 can be reached directly, whereas IPs outside that range need to be sent to a router.
ip routewill show you the routes a device knows about. It’ll look something like this (simplifying a bit):default via 192.168.1.1 192.168.1.0/24 dev wlan0 src 192.168.1.214The first line is the default route, which is used when no more specific route exists. It says that you talk to these IPs by sending your traffic to 192.168.1.1 (your wifi router) and it’ll send it on from there.
The second one says that for IPs in the 192.168.1.0/24, you directly talk to them using your wlan0 interface
Thank you very much! :)
Interesting why
iptablesbehaves like that though. Because, if I understand it correctly, specifying any address between 192.168.1.[0…255]/24 will result in all addresses in that range to be accepted? So, the only way to actually single out one host is to use the mask /32…?Yes, exactly. The convention is to use the lowest address in the range (e.g. 192.168.1.0/24), since you’re allowing a range of addresses rather than a single one.
The reason to do this is that many firewall rules will be based on sets of addresses - you might want to allow traffic from any device in your local network without having to add individual rules for each
Tomorrow, at work, I’m gonna brag about what I have learned here today, until my colleagues’ ears fall off.
Thanks again! :)