homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

How to block an IP range using Apache .htaccess
Trying to confirm a thorough example.
JAB Creations

WebmasterWorld Senior Member jab_creations us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 3546 posted 10:30 am on May 12, 2005 (gmt 0)

For some time I've been trying to figure out how to block ip ranges (some may search for deny ip block) by using the full begining and ending ip addresses. I am a simple man and do not possess an engineering degree nor am I mechanically inclined. So when I learn I learn by a simple yet direct way of explaining things.

Now I know to block a single ip address you use this...

deny from

I did a little reading and a ton of searching and have concluded to block an ip range of - you should use...

deny from

My understanding is that 18.0.0 through 18.0.255 is represented as 0/255 (that which denotes that portion of the ip as begining and ending using JUST that quarter portion of the ip address in order to make a percieved range).

Now to expand, if the range is greater and say we want to block a range of to you should use...

deny from 67.18/19

This takes the second set (out of which could be 0-255) and chooses (18-19 and all their subsets) to be included in the ip address range.

I just want to know if everything I stated is correct and if not (be in in full or in part) what I am wrong about and how it really works.



WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 3546 posted 6:14 pm on May 12, 2005 (gmt 0)

This stuff is rather complex. It involves converting the octets (the groups of numbers delimited by the periods) of the address or address range to binary, and then generating a "mask" that is used during comparison of the incoming address and the specified allow/deny directives.

A basic example would be that you want to deny through

In binary (use the Windows calculator or equivalent) that is 11000000.10101000.11000000.00000000 through 11000000.10101000.11111111.11111111

Having derived that, you now need to generate either a netmask or a CIDR. The easiest way to do it is to line up the start/end addresses vertically, and then examine them to see which bits change between the first and last address of the range. Then mark those that don't change with ones and those that do with zeroes:


This yields the netmask, which when converted back to decimal octets is

To get a CIDR, you count the number of ones from the left, in this case 18.

So, you would use

Deny from (Network/Netmask pair -or-
Deny from (Network/nnn CIDR specification

Note that when the netmask contains trailing octets containing all zeroes, you can simply leave them off and use a simple partial IP address.

An example would be through, which could be specified as a partial IP address as:

Deny from 172.0.0.

For more information, do a search for "Netmask" and "CIDR." There are also several online netmask and CIDR generators avaialble. In addition, if you look up your problem IP addresses in ARIN, the CIDR value is often given in the data record containing that IP address.

Unfortunately, this is as simple as it gets.



10+ Year Member

Msg#: 3546 posted 6:16 pm on May 12, 2005 (gmt 0)

I'm not personally familiar with that syntax; it /may/ work (and testing it is easy enough). However, I'd probably use the notation described in mod_access's allow documentation [httpd.apache.org]. For more information on netmasks and Classless Internet Domain Routing, I'd suggest googling on "cidr blocks" [google.com].

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved