diff --git a/app/authentication/auth.py b/app/authentication/auth.py
index b3e254b94..baadb32f0 100644
--- a/app/authentication/auth.py
+++ b/app/authentication/auth.py
@@ -44,6 +44,12 @@ def requires_no_auth():
 
 
 def restrict_ip_sms():
+    # Check route of inbound sms (Experimental)
+    # Temporary custom header for route security
+    if request.headers.get("X-Custom-forwarder"):
+        current_app.logger.info("X-Custom-forwarder {}".format(request.headers.get("X-Custom-forwarder")))
+
+    # Check IP of SMS providers
     ip = ''
     if request.headers.get("X-Forwarded-For"):
         # X-Forwarded-For looks like "203.0.113.195, 70.41.3.18, 150.172.238.178"
@@ -54,21 +60,29 @@ def restrict_ip_sms():
             ip = ip_list[len(ip_list) - 3]
         current_app.logger.info("Inbound sms ip route list {}"
                                 .format(ip_route))
+    p0 = ip.split('.')
 
-    # Temporary custom header for route security - to experiment if the header passes through
-    if request.headers.get("X-Custom-forwarder"):
-        current_app.logger.info("X-Custom-forwarder {}".format(request.headers.get("X-Custom-forwarder")))
+    # IP whitelist
+    allowed_ips = current_app.config.get('SMS_INBOUND_WHITELIST')
+    allowed = False
+
+    for allowed_ip in allowed_ips:
+        p1 = allowed_ip.split('.')
+        if p0[0] == p1[0] and p0[1] == p1[1] and p0[2] == p1[2]:
+            allowed = True
+            # return
+        # else:
+            # raise AuthError('Unknown source IP address from the SMS provider', 403)
 
     current_app.logger.info({
         'message': 'Inbound sms ip address',
         'log_contents': {
-            'passed': ip in current_app.config.get('SMS_INBOUND_WHITELIST'),
+            'passed': allowed,
             'ip_address': ip
         }
     })
 
     return
-    # raise AuthError('Unknown source IP address from the SMS provider', 403)
 
 
 def requires_admin_auth():
diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py
index f0420e755..a0fac818d 100644
--- a/tests/app/authentication/test_authentication.py
+++ b/tests/app/authentication/test_authentication.py
@@ -362,3 +362,15 @@ def test_illegitimate_ips(restrict_ip_sms_app):
         )
 
     assert exc_info.value.short_message == 'Unknown IP route not from known SMS provider'
+
+
+def test_allow_valid_ips_24bits(restrict_ip_sms_app):
+    # Test an address that match the first 24 bits only
+    response = restrict_ip_sms_app.get(
+        path='/',
+        headers=[
+            ('X-Forwarded-For', '111.111.111.119, 222.222.222.222, 127.0.0.1'),
+        ]
+    )
+
+    assert response.status_code == 200