What is the biggest IP range you can block in a Firewall? Print

When you’re talking about blocking IP ranges in a firewall (like iptables, nftables, or CSF on AlmaLinux/CentOS/RHEL), the biggest block you can apply is the entire IPv4 or IPv6 address space, depending on what you want to achieve.

IPv4

• The largest CIDR block possible is:

   

  0.0.0.0/0

  This matches all IPv4 addresses (about 4.3 billion).

• In practice, admins usually block in smaller chunks (e.g., /8, /16, /24) to avoid unintentionally cutting off legitimate traffic.

• Example of blocking an entire /8 (16.7 million IPs):

   

  iptables -A INPUT -s 12.0.0.0/8 -j DROP

IPv6

• The largest block is:

   

  ::/0

  This covers all IPv6 addresses (a mind-boggling number, ~3.4×10³⁸).

• Similar logic applies: you can block entire subnets, like /32 or /48 depending on the target range.

Practical Guidance

• Use specific ranges whenever possible. Blocking 0.0.0.0/0 or ::/0 is essentially shutting down your server’s networking.

• Common large blocks:

  • /8 (huge, often too big unless you’re cutting out an entire provider or country)

  • /16 (65,536 IPs, good for ISP ranges)

  • /24 (256 IPs, typical for small networks)

???? So technically, the biggest IP range you can block is /0 (all IPs), but practically the largest useful range is usually /8 in IPv4 or /32–/48 in IPv6.

Here is a simple graph showing available IPs within a network: