For some time I've been trying to figure out how to block ip ranges (some may search for deny ip block) by using the full begining and ending ip addresses. I am a simple man and do not possess an engineering degree nor am I mechanically inclined. So when I learn I learn by a simple yet direct way of explaining things.
Now I know to block a single ip address you use this...
deny from 220.127.116.11
I did a little reading and a ton of searching and have concluded to block an ip range of 18.104.22.168 - 22.214.171.124 you should use...
deny from 126.96.36.199/255
My understanding is that 18.0.0 through 18.0.255 is represented as 0/255 (that which denotes that portion of the ip as begining and ending using JUST that quarter portion of the ip address in order to make a percieved range).
Now to expand, if the range is greater and say we want to block a range of 188.8.131.52 to 184.108.40.206 you should use...
deny from 67.18/19
This takes the second set (out of which could be 0-255) and chooses (18-19 and all their subsets) to be included in the ip address range.
I just want to know if everything I stated is correct and if not (be in in full or in part) what I am wrong about and how it really works.
This stuff is rather complex. It involves converting the octets (the groups of numbers delimited by the periods) of the address or address range to binary, and then generating a "mask" that is used during comparison of the incoming address and the specified allow/deny directives.
A basic example would be that you want to deny 192.168.192.0 through 192.168.255.255
In binary (use the Windows calculator or equivalent) that is 11000000.10101000.11000000.00000000 through 11000000.10101000.11111111.11111111
Having derived that, you now need to generate either a netmask or a CIDR. The easiest way to do it is to line up the start/end addresses vertically, and then examine them to see which bits change between the first and last address of the range. Then mark those that don't change with ones and those that do with zeroes:
This yields the netmask, which when converted back to decimal octets is 255.255.192.0
To get a CIDR, you count the number of ones from the left, in this case 18.
So, you would use
Deny from 192.168.192.0/255.255.192.0 (Network/Netmask pair -or- Deny from 192.168.192.0/18 (Network/nnn CIDR specification
Note that when the netmask contains trailing octets containing all zeroes, you can simply leave them off and use a simple partial IP address.
An example would be 220.127.116.11 through 18.104.22.168, which could be specified as a partial IP address as:
Deny from 172.0.0.
For more information, do a search for "Netmask" and "CIDR." There are also several online netmask and CIDR generators avaialble. In addition, if you look up your problem IP addresses in ARIN, the CIDR value is often given in the data record containing that IP address.
I'm not personally familiar with that syntax; it /may/ work (and testing it is easy enough). However, I'd probably use the notation described in mod_access's allow documentation [httpd.apache.org]. For more information on netmasks and Classless Internet Domain Routing, I'd suggest googling on "cidr blocks" [google.com].