diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion
index 1d111fa306..2866f10cfb 100644
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@@ -14,7 +14,7 @@ udp_ports: [ 1194 ]
 # drop incoming traffic from less trusted vpn hosts
 #
 custom_rules: [
-    '-A INPUT -s 192.168.100/0/24 -j REJECT --reject-with icmp-host-prohibited',
+    '-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited',
 ]
 #
 # allow a bunch of sysadmin groups here so they can access internal stuff