I added a rule to accept connections from 192.168.1.135/24, since my router is configured to hand out /24 addresses. Then, iptables -L -v showed that connections from 192.168.1.0/24 are accepted. When I change the rule to accept connections from .135/32 - or from .135 without specifying the subnet -, it not only works as intended, but it also resolves the hostname correctly. Why? unsolicited “why do you still use iptables” advice not welcome :D

The routing and firewalling is a bit different in terms of why certain CIDR masks are used. For the router, the /24 prefix is usually defined for itself on the LAN interface to denote the address space it may send route information to, and what addresses are controlled by the device. Almost certainly, (unless using a lower CIDR range and actually handing out /24 blocks to subsequent routers), you are granting /32 IPv4 addresses to your device from your router. For your system firewall, 192.168.1.135/24 is identical to 192.168.1.0/24 as they are the same address space. You’re simply allowing from a subnet of hosts to accept from. Given the /24 mask is 255.255.255.0, it does not matter what the last number of the IPv4 address is, but the lowest possible number to match the mask is standard form. Without knowing what rule(s) specifically are being applied, I couldn’t tell you if your firewall rules are something that would affect hostname resolution of other hosts from your system or not.

If I may ask a follow up question, just out of curiosity, I did an ip a on my phone that is connected to the same router as the system whose firewal I was referring to in my original post and it gave me: inet 192.168.1.214/24 brd 192.168.1.255 scope global wlan0 Which to my untrained eye indicates that my phones WiFi interface has been alotted the .214 address in the /24 space/subnet. But if I understand you correctly, this has to do with the above being routing related - how my phone reaches WAN -, while my original post was about firewalling. And when it comes to firewalling, you specify a host with a mask of /32?

You might want to use either a /24 address or a /32 address in a firewall rule, depending on what you’re trying to do. The difference is that the /24 one refers to a set of IPs, while the /32 one applies to only one IP. Say you’re adding a firewall rule like iptables -A - s 192.168.1.123/32 - j ACCEPT. This will accept all traffic with the source IP 192.168.1.123. If instead you use iptables -A - s 192.168.1.123/24 - j ACCEPT, you’ll accept all traffic with a source IP in the 192.168.1.123/24 subnet, which is all the IPs between 192.168.1.0 & 192.168.1.255. In the case of your WiFi IP, the subnet does something different. It tells you which IP addresses you should expect to be able to contact directly, and which you need to contact via a router. 192.168.1.214/24 says that all the IPs between 192.168.1.0 & 192.168.1.255 can be reached directly, whereas IPs outside that range need to be sent to a router. ip route will show you the routes a device knows about. It’ll look something like this (simplifying a bit): default via 192.168.1.1 192.168.1.0/24 dev wlan0 src 192.168.1.214 The first line is the default route, which is used when no more specific route exists. It says that you talk to these IPs by sending your traffic to 192.168.1.1 (your wifi router) and it’ll send it on from there. The second one says that for IPs in the 192.168.1.0/24, you directly talk to them using your wlan0 interface