Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

How to block an IP range using Apache .htaccess

Trying to confirm a thorough example.

10:30 am on May 12, 2005 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member jab_creations is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 26, 2004
votes: 22

For some time I've been trying to figure out how to block ip ranges (some may search for deny ip block) by using the full begining and ending ip addresses. I am a simple man and do not possess an engineering degree nor am I mechanically inclined. So when I learn I learn by a simple yet direct way of explaining things.

Now I know to block a single ip address you use this...

deny from

I did a little reading and a ton of searching and have concluded to block an ip range of - you should use...

deny from

My understanding is that 18.0.0 through 18.0.255 is represented as 0/255 (that which denotes that portion of the ip as begining and ending using JUST that quarter portion of the ip address in order to make a percieved range).

Now to expand, if the range is greater and say we want to block a range of to you should use...

deny from 67.18/19

This takes the second set (out of which could be 0-255) and chooses (18-19 and all their subsets) to be included in the ip address range.

I just want to know if everything I stated is correct and if not (be in in full or in part) what I am wrong about and how it really works.

6:14 pm on May 12, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
votes: 0

This stuff is rather complex. It involves converting the octets (the groups of numbers delimited by the periods) of the address or address range to binary, and then generating a "mask" that is used during comparison of the incoming address and the specified allow/deny directives.

A basic example would be that you want to deny through

In binary (use the Windows calculator or equivalent) that is 11000000.10101000.11000000.00000000 through 11000000.10101000.11111111.11111111

Having derived that, you now need to generate either a netmask or a CIDR. The easiest way to do it is to line up the start/end addresses vertically, and then examine them to see which bits change between the first and last address of the range. Then mark those that don't change with ones and those that do with zeroes:


This yields the netmask, which when converted back to decimal octets is

To get a CIDR, you count the number of ones from the left, in this case 18.

So, you would use

Deny from (Network/Netmask pair -or-
Deny from (Network/nnn CIDR specification

Note that when the netmask contains trailing octets containing all zeroes, you can simply leave them off and use a simple partial IP address.

An example would be through, which could be specified as a partial IP address as:

Deny from 172.0.0.

For more information, do a search for "Netmask" and "CIDR." There are also several online netmask and CIDR generators avaialble. In addition, if you look up your problem IP addresses in ARIN, the CIDR value is often given in the data record containing that IP address.

Unfortunately, this is as simple as it gets.


6:16 pm on May 12, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 1, 2005
votes: 0

I'm not personally familiar with that syntax; it /may/ work (and testing it is easy enough). However, I'd probably use the notation described in mod_access's allow documentation [httpd.apache.org]. For more information on netmasks and Classless Internet Domain Routing, I'd suggest googling on "cidr blocks" [google.com].