0

My understanding is that 10.0.2.1/32 means 10.0.2.1 vs 10.0.2.1/24 means 10.0.2.1 to 10.0.2.255.

For example in /etc/network/interfaces, /24 is used when configuring static IPs.

But in /etc/iptables/rules.v4, -d 10.0.2.0/24 means any IP in the 255.255.255.0 subnet... which equals 10.0.2.0 to 10.0.2.255 right?

Sorry for the newbie question... I am confused!

sunknudsen
  • 701
  • 3
  • 14
  • 28
  • Thanks Michael, but that answer is for rocket scientist. Can someone please answer this like if I was 5? I’m sure others will be thankful. – sunknudsen Aug 07 '20 at 21:20
  • 2
    That is the ELI5 explanation. – Michael Hampton Aug 07 '20 at 21:22
  • What about a ELI1 then? Trust me Michael, I spend thousands of hours teaching technology to people... that answer is still to meta. But thanks for pointing it out... I will jump into the rabbit hole. – sunknudsen Aug 07 '20 at 21:33
  • @MichaelHampton Please see answers bellow and consider not closing this question. – sunknudsen Aug 07 '20 at 21:53
  • Do you happen to know what a netmask is (eg 255.255.255.0)? If so, a /xx is an abbreviated way of writing a netmask – davidgo Aug 08 '20 at 08:56
  • @davidgo Thanks for helping out. I do, but don’t understand why `/24` is used when configuring a static IP in `/etc/network/interfaces` and `/32` when targeting a single IP in iptables. Both use cases seemingly are for single IPs... Perhaps thats the part I don’t understand as Krackout pointed out in his answer. – sunknudsen Aug 08 '20 at 10:00
  • The number after the / is equivalent to the number of 1s in the netmask, so /24 = 11111111.11111111.11111111.00000000 = 255.255.255.0 and similarly a /32 is 255.255.255.255. – davidgo Aug 08 '20 at 10:54
  • In the case of the /24 it say this IP is part of this network, so its equivalent to saying this IP is X.X.X.X and its network is X.X.X.0 and its netmask us 255.255.255.0 all in 1 shortish statement. (All it doesn't have is a gateway) – davidgo Aug 08 '20 at 10:56

2 Answers2

1

In simple terms, 10.0.2.1/32 means that you set 10.0.2.1 on your network interface but you are alone, the whole network is just your IP.

On the other hand, setting 10.0.2.1/24 means that your IP is 10.0.2.1 and the IP range 10.0.2.0-10.0.2.255 is a known, familiar, reachable block of IPs; no gateway (that is, another network device) needed to reach it.

One real scenario of /32 subnet setting is in firewall rules, if you want just one IP to be allowed or blocked, not a range. In most cases typing just the IP in a firewall rule assumes /32. You wouldn't use it in a PC's network interface for everyday use.

Krackout
  • 1,575
  • 7
  • 20
  • Thanks for your help! Does this mean that using `/32` in `/etc/network/interfaces` would break connectivity to the rest of the network? Please see update question for context. – sunknudsen Aug 07 '20 at 21:39
  • 1
    Yes, it would break connectivity. Regarding 10.0.2.0/24 in iptables rules: That actually means the 10.0.2.0-10.0.2.255 range ( .0 represents the network, .255 broacast - packet sent everywhere, they cannot be assigned to net devices). But 10.0.2.1/24 in `/etc/network/interfaces` is not the same; it means setting IP 10.0.2.1, subnet mask 255.255.255.0 on the net interface. – Krackout Aug 07 '20 at 21:47
  • So this is confusing in the context of `/etc/network/interfaces` vs iptables right? The `/` notation has different meaning. – sunknudsen Aug 07 '20 at 21:51
  • No, it's not different meaning; you'll have to dive a bit to understand it. Remember, `.0` represents the whole network, it's not an ordinary IP. That's the difference. On the other hand, on other subnet masks, `/23` for example, `.0` can also be an ordinary IP, so be careful on assumptions! Not easy to explain further in a comment. – Krackout Aug 07 '20 at 22:02
1

When your interfaces file has something like address 192.0.2.1/24, that specifies the address and the "netmask" (in the form of the /n network prefix length) all in one go.

Previously, the interfaces file would have had separate address 192.0.2.1 and netmask 255.255.255.0 entries in that same situation. It's simply a modernization to consistently use the /n notation.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94