Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT and l7-filter

4 (1 reviews total)
By Lucian Gheorghe
  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies

About this book

Firewalls are used to protect your network from the outside world. Using a Linux firewall, you can do a lot more than just filtering packets. This book shows you how to implement Linux firewalls and Quality of Service using practical examples from very small to very large networks.

After giving us a background of network security, the book moves on to explain the basic technologies we will work with, namely netfilter, iproute2, NAT and l7-filter. These form the crux of building Linux firewalls and QOS. The later part of the book covers 5 real-world networks for which we design the security policies, build the firewall, setup the script, and verify our installation.

Providing only necessary theoretical background, the book takes a practical approach, presenting case studies and plenty of illustrative examples.

Publication date:
October 2006


Chapter 1. Networking Fundamentals

When it comes to theory, some of you out there might find it boring to read; so the first thing that may go through your mind is to skip this chapter. Don't do it. Even if you think that you know all the theoretical concepts, a recapitulation is good anytime.

Network professionals talk about protocols, devices, and software in terms of which OSI Layer they function at. When people talk about high-performance Layer 3 switches these days, they talk about switches that can perform OSI Layer 3 tasks and they expect you to know which tasks are at that layer. A simple deduction makes you realize that classic switches perform OSI Layer 2 functions.

Layer 3 switches are beyond the scope of this book, but that was a simple example of why you should know the OSI layered model, which is purely theoretical. Further in this book, you will learn about "Layer 7 filtering" which refers to how to filter what is on OSI Layer 7, which I'm sure you will find very attractive to read and implement.

By definition, a network is a group of two or more computer systems linked together, with the ability to communicate with each other.

The types of networks commonly used are:

  • LAN (Local Area Network): A network in which the computers are close together (the same building).

  • WAN (Wide Area Network): A network in which the computers are at very long distances.

  • MAN (Metropolitan Area Network): A city-wide network.

  • CAN (Campus Area Network): A network in a campus or a military base.

  • SAN (Storage Area Network): A high-performance network used to move data between servers and dedicated storage devices.

  • VPN (Virtual Private Network): A private network built over the public network infrastructure (over the Internet).

  • HAN (Home Area Network): A network in a personal home. This term is rarely used; most people use the term LAN in this matter.

Computers in a user home network (a HAN) are usually connected to the building switch and form a LAN with the other users' computers. This switch is connected to a MAN or a CAN that is connected to the largest WAN, which is the Internet.


The OSI Model

In order for computers to communicate, they must speak the same language or protocol. In the early days of networking, networks were disorganized in many ways. Companies developed proprietary network technologies that had great difficulties in exchanging information with other or existing technologies; so network interconnections were very hard to build. To solve this problem, the International Organization for Standardization (ISO) created a network model that helps vendors to create networks compatible with each other.

In 1984, ISO released the Open Systems Interconnection (OSI) reference model, which is a well-defined set of specifications that ensures greater compatibility among various technologies.

In fact, OSI is a description of network communication that everyone refers to. It is not the only network model, but it has become the primary model for network communication. You will see further in this chapter, that the TCP/IP model is only a reduced version of the OSI model.

The OSI model consists of seven layers, each illustrating a particular network function.

Information contained in one layer usually has headers and trailers and data encapsulated from an upper layer. Encapsulation is the process of placing the data from an upper layer between headers and trailers so that when data is received by a layer, after it is analyzed, the protocol at that layer removes the headers and trailers and gives the data to the upper layer in the format that the upper layer understands.

At Layer 7 (application) of the OSI model we have the user interface (a web browser for example). Layer 6 (presentation) handles how data is presented (e.g. HTML). While accessing a web page, a computer may be sending/receiving emails. Keeping data from different applications separate is the job for Layer 5 (session) of the OSI model. At Layer 4 (transport) we find protocols that transfer the data (TCP for example), while at Layer 3 (network) we find logical addressing, which is used for path determination (e.g. IP). At Layer 2 (data link), we find network protocols such as Ethernet, and at the lowest layer, Layer 1 (physical), we find the cabling specifications (e.g. RJ-45).

This was a quick overview on the OSI layers. Now, let's have a closer look at these layers in order for us to understand the communication process.

OSI Layer 7: Application

The OSI application layer refers to communication services to applications. When programmers design an image editor for example, they don't have to think about adding OSI Layer 7 capabilities to that software, because it has no need for communication with other computers. On the other hand, when creating an FTP client, they must add communication capabilities to that software.

At Layer 7 we usually find Telnet, FTP, HTTP, SMTP, SNMP, or SSH.

When we say, for example, Layer 7 filtering, we refer to filtering application data, regardless of what port or computer it may come from.

OSI Layer 6: Presentation

The purpose of the presentation layer is defining the data formats in which data is represented. Data formats are usually standard formats like ASCII, JPEG, GIF, TIFF, MPEG, etc. OSI Layer 6 also defines encryption as a presentation layer service.

The importance of defining data formats is obvious. For example, when sending email, you usually send it plain text (ASCII) or HTML. If the receiving application doesn't know these data formats, your email will not be displayed correctly.

OSI Layer 6 provides a service to the upper OSI layer (application). It formats the data to be sent across the network in a manner that the receiving application is able to understand and/or manipulate.

OSI Layer 5: Session

The session layer defines how to start, control, and end conversations. These conversations are called sessions. OSI Layer 5 ensures inter-host communication, meaning that it establishes ways to manage sessions between applications.

An application may communicate with several other applications (on other PCs) at the same time. For each communication channel, Layer 5 starts a separate session that provides a service to the upper layer (presentation). The session layer ensures that a series of messages is completed. For example, if only half the data is received on a particular session, Layer 5 will not pass the data to the upper layer if the application is built this way. For example, suppose you go to an ATM machine, log in, print your account status, and insert an amount you want to extract from your account, but a communication error happens right then. The ATM will not give you the cash before it debits your account; instead, it will wait for the confirmation from the central system that the account was debited with that amount and then gives you the cash.

At the session layer, we find SQL, NFS, RPC, etc. Usually, the operating system is responsible for OSI Layer 5.

OSI Layer 4: Transport

The transport layer ensures the management of virtual circuits between hosts that can provide error correction. It contains a series of protocols concerned with transportation issues between hosts. These protocols may reorder the data stream if the packets arrive out of order. Layer 4 protocols are also responsible for multiplexing incoming data for different flows to applications running on the same host.

OSI Layer 4 provides a service to the session layer, meaning that after the data is received, multiplexed, and reordered, it is given to the upper layer (session) for handling.

The most common Layer 4 protocols are TCP, UDP, and SPX. The most important features of Layer 4 protocols are error correction and flow control. Because a router can discard packets for many reasons (communication errors, network congestion, etc.) Layer 4 protocols can provide retransmission of packets that the other host didn't receive. This is called error correction. Also, because of bandwidth limitations, if data is sent from one device using its full physical bandwidth, network congestion will occur. Layer 4 protocols are responsible for limiting transmission speed so that the network doesn't get flooded. This is called flow control.

We will see later in this chapter how error connection and flow control are accomplished and what protocols provide reliable or unreliable transport.

OSI Layer 3: Network

The network layer defines end-to-end delivery of data. In order for computers to be identified, the network layer defines logical addressing (e.g. IP addresses). OSI Layer 3 also defines how routing works and how routes are learned by routers for packet delivery. Also, the network layer defines fragmentation of packets, which is the process that breaks packets into smaller units in order to accommodate media with smaller maximum transmission unit (MTU) sizes.

Usually at OSI Layer 3 we find IP and IPX. When we think about OSI Layer 3, we must think of "routing". For example, routers are Layer 3 devices that run routing protocols for path determination.

Routers make their routing decisions based on the routing tables they have. Routing tables are collections of rules that define where data should go for a specific address or network.

At the beginning of this chapter, I was talking about one very common issue these days—"Layer 3 switches". Layer 3 switches switch packets according to a Layer 3 routing table. Usually, routers have a small number of interfaces that connect to switches for connectivity with other endpoints. In IP, Layer 3 switches are transparent routers with a very high density of ports.

OSI Layer 2: Data Link

The data link layer specifications are concerned with transferring data over a particular medium. For example, IEEE 802.3, which is the protocol for Ethernet, is found at OSI Layer 2. Hubs and switches are Layer 2 devices because they forward Ethernet packets over copper wires. At the data link layer we find protocols like ATM, Frame Relay, HDLC, PPP, FDDI, etc.

What we need to understand from this is that OSI Layer 2 specifies how packets are sent to the communication link. When we think about OSI Layer 2, we can think "switching", for example.

OSI Layer 1: Physical

The physical layer contains specifications for the physical medium of transmission that the data link layer protocols use. Layer 1 specifications are about connectors, pins, electrical currents, light modulation, etc. At Layer 1, we find the 802.3 standard, which has definitions about the Ethernet pinout, cable lengths, voltages, etc. More than that, we find cabling specification standards for RJ45, RJ48, V.35, V.24, EIA/TIA-232, and so on.

When we think about Layer 1, we can think "cables and connectors".

OSI Functionality Example and Benefits

Let's think about one world-wide service that wouldn't have been possible without standardization, like email services. There are so many email client software applications out there, and all of them use the same protocols to transmit and receive data.

Let's say you are in a company LAN and you want to send an email.

Layer 7: You use an email client (like Outlook Express for example), which has SMTP and POP3 functions according to OSI Layer 7 (application).

Layer 6: You send the email, formatted in ASCII or HTML. The application then creates a data unit formatted in ASCII or HTML according to OSI Layer 6 (presentation).

Layer 5: The email message uses the operating system to open a session for inter-host communication according to OSI Layer 5 (session).

Layer 4: A TCP socket with the SMTP server is opened by the operating system. A virtual circuit is opened between your computer and the email server using TCP according to OSI Layer 4 (transport).

Layer 3: Your computer searches for the IP address of the SMTP server according to the routing table of the operating system. If it is not found in the routing table, it will forward it to the company router for path determination. The IP protocol is at OSI Layer 3 (network).

Layer 2: The IP packet is transformed to an Ethernet frame according to OSI Layer 2 (data link).

Layer 1: The Ethernet frame is converted to electrical signals that are sent throughout the CAT5 cable according to OSI Layer 1 (physical).

By creating specifications on multiple layers, the OSI model has a lot of benefits:

  • Reduced complexity allows faster evolution. There are companies specialized in creating products specific for one layer, instead of rebuilding everything from the application to the physical layer.

  • Interoperability is much easier due to standardization.

  • Each layer uses the service of the layer immediately below it, and so it is easier to remember what the lower layer does.

  • It simplifies teaching. For example, network administrators need to know the functions of the lowest four layers, while programmers need to know the upper layers.


The TCP/IP Model

The TCP/IP model was developed by the U.S. Department of Defense (DoD) and originated from the need of a network that could survive any conditions, including a nuclear war. After it was released to the public, in a few years the TCP/IP model became the most popular networking model and it is now the core of the Internet.

In a world where we have data transmitted over wires, microwaves, satellite links, and optical fiber, there is the need to transmit data reliably over any media and under any circumstances. Let's see how the TCP/IP model can do that.

First of all, the TCP/IP model consists of four layers as in the following figure:

So, the layers of the TCP/IP model are: Application, Transport, Internet, and Network Access.

Even if some layers from the TCP/IP model share the same name with some layers from the OSI model, they include different functions.

The TCP/IP Application Layer

The TCP/IP application layer handles high-level protocols, representation, encoding, and dialog control. The Application layer in the TCP/IP model defines not only the application, but also how data is formatted, and how sessions are initialized and destroyed. As an analogy to the OSI model, the TCP/IP application layer handles the functions found at the three upper layers in the OSI model—application, presentation, and session. This way, all application-related issues found in the OSI model are combined into one layer.

The application layer in the TCP/IP model includes protocols like FTP, SMTP, etc., with all their issues regarding data representation and dialog control. The application layer ensures that the data is properly packaged before it is passed to the transport layer.

The TCP/IP Transport Layer

The transport layer provides transport services for the application layer by creating logical connections between the source host and the destination host.

In the TCP/IP model, two protocols are found at the transport layer:

  • Transmission Control Protocol (TCP)

  • User Datagram Protocol (UDP)

The Transmission Control Protocol (TCP)

TCP is a connection-oriented protocol and provides reliable data transfer between endpoints.

TCP breaks messages into segments, reassembles them at the destination, and sends them to the upper layer (application).

A TCP segment contains:

  • Source Port: The port number used by the sending host to send data

  • Destination Port: The port number used by the receiving host to receive data

  • Sequence Number: The SEQ number of the segment, used to ensure the data arrives in the correct order

  • Acknowledgement Number: The ACK number is the next expected TCP octet from the other host.

  • Header Length (HLEN): Number of 32-bit words in the header

  • Code Bits: Control functions such as set up or terminate a session

  • Reserved: Reserved bits are set to zero

  • Window: The number of octets that the sender will accept

  • Checksum: Calculated checksum of the header and data fields

  • Urgent: Indicates the end of the urgent data

  • Options: There is only one option defined, which is the maximum TCP segment size.

  • Data: The data from the upper layer (application)

Connection-oriented means that TCP needs to establish a connection between the two hosts before it starts sending data. This is done by using a three-way handshake, which means that two hosts communicating using TCP synchronization (SYN).

First, the initiating host sends a SYN packet to the receiving host sending its sequence number (SEQ). The receiving host receives the SYN packet and sends back an acknowledgement (ACK) packet containing its own sequence number and the source's SEQ number incremented by 1. This tells the sending host that the packet was received successfully and informs it about its SEQ number. Next, the sending host sends an ACK packet to the receiving host, containing the receiving host's SEQ number incremented by one. This tells the receiving host that the sending host received its packet.

The process described above is called synchronization (the three-way handshake), and it is necessary because the network doesn't have a global clock and TCP protocols may use different mechanisms to choose initial sequence numbers.


In a few words, synchronization is the way both hosts learn about the other host's initial SEQ number. Another important aspect that you should learn from this is that the first packet sent by a host to another is called a SYN packet.

After the synchronization is performed, TCP uses a process called windowing to ensure flow control and ACK packets for the reliability of the data transmission.

Windowing is a process in which the two hosts adapt the number of bytes they send by how many windows the other host receives before sending an ACK packet. For example, see the following figure:

The sender host sends three packets before expecting an ACK packet, while the receiving host can only process two. The receiving host sends back an ACK packet confirming what packet the sender should send and specifies a window size of 2. The sending host sends packet 3 again but with the same window size 3. The receiver sends ACK 5, meaning that it waits for the fifth packet and specifies again the window size 2. From this point, the sender only sends two packets before waiting for an ACK packet from the receiver.

Flow control is a mechanism that keeps the data transmission in limits imposed by the physical medium. For example, a host on a network that is connected to the Internet through a router with 64 kilobits per second, without flow control would flood out 100 megabits per second to the router when sending data to another computer located at the other end of the world. With a flow control mechanism in TCP, the hosts negotiate a window size, meaning an amount of data to be transmitted by one host at once.

ACK packets are sent by the receiving host indicating the last packet has been received, and that the receiving host is waiting for the next packet after the one last received. If packets get lost along the way, this will force the sending host to resend that packet, thus ensuring a reliable communication.


Please note that TCP is a connection-oriented protocol with reliable data transmission and flow control.

Applications with the need of reliable data transmission use TCP as transport protocol. Examples of such applications are FTP, HTTP, SMTP, Telnet, SSH, etc.

The User Datagram Protocol (UDP)

UDP is a much simpler protocol than TCP is, and it's everything that TCP isn't. UDP is a transport layer protocol that doesn't need to establish a connection with the other host for sending data. This means that UDP is connectionless.

A UDP segment contains:

  • Source Port: The port number used by the sending host to send data

  • Destination Port: The port number used by the receiving host to receive data

  • Length: The number of bytes in header and data

  • Checksum: Calculated checksum of the header and data fields

  • Data: The data from the upper layer (application)

Also, UDP doesn't have any mechanisms for flow control and doesn't retransmit data if data gets lost. This means that UDP provides unreliable delivery. However, data retransmission and error handling can be implemented at the application layer, whenever it is needed.

Now, you are probably wondering if TCP has so many great features, why use UDP?

A first answer to that question would be because there are applications that don't need to put sequences of segments together. Let's take for instance H.323, which is used for Voice over IP (VoIP). Voice over IP is a way to send real-time conversations over an IP network. If H.323 used TCP, in a conversation, when data gets lost due to network congestion, the sending host must retransmit all the lost data while encapsulating the new telephone input into new data, which would have to wait to be sent. This would be very bad for a conversation in a network with delays higher than 100 miliseconds.

A second motive for using UDP would be that a simple protocol needs less processing capacity. For example, DNS uses UDP for handling DNS requests from clients. Think about a very large network that usually has two or three DNS servers. If TCP was used to handle DNS requests, the DNS servers would have to establish TCP connections with all clients for each DNS request. This would need high processing capacity from the DNS server and would be slower than UDP is.

Another example is TFTP, which is used for file transfer, usually by routers to load their operating systems from. TFTP is much simpler than FTP, and it is far easier to code in a router's bootloader than FTP is.


Please note that TCP and UDP are at TCP/IP Layer 3. However, when referred as networking model protocols, TCP and UDP are said to be Layer 4 protocols, because they stand at Layer 4 in the OSI model, which is the reference model for networking.

The TCP/IP Internet Layer

The Internet layer in the TCP/IP model has the functions of OSI Layer 3—network. The purpose for the Internet layer is to select a path (preferably the best path) in the network for end-to-end delivery.

The main protocol found at the Internet layer is IP (Internet Protocol), which provides connectionless, best-effort delivery routing of packets. IP handles logical addressing, and its primary concern is to find the best path between the endpoints, without caring about the contents of the packet. IP does not perform error checking and error correction, and for this reason is called an unreliable protocol. However, these functions are handled by the transport layer (TCP) and/or the application layer.

IP encapsulates data from the transport layer in IP packets. IP packets don't use trailers when encapsulating TCP or UDP data. Let's see what an IP packet looks like:

The fields contained in the IP header signify:

  • Version: Specifies the format of the IP packet header. The 4-bit version field contains the number 4 if it is an IPv4 packet, and 6 if it is an IPv6 packet. However, this field is not used to distinguish between IPv4 and IPv6 packets. The protocol type field present in the Layer 2 envelope is used for that.

  • IP header length (HLEN): Indicates the datagram header length in 32-bit words. This is the total length of all header information, and includes the two variable-length header fields.

  • Type of service (ToS): 8 bits that specify the level of importance that has been assigned by a particular upper-layer protocol.

  • Total length: 16 bits that specify the length of the entire packet in bytes. This includes the data and header. To get the length of the data payload, subtract the HLEN from the total length.

  • Identification: 16 bits that identify the current datagram. This is the sequence number.

  • Flags: A 3-bit field in which the two low-order bits control fragmentation. One bit specifies if the packet can be fragmented, and the other indicates if the packet is the last fragment in a series of fragmented packets.

  • Fragment offset: 13 bits that are used to help piece together datagram fragments. This field allows the next field to start on a 16-bit boundary.

  • Time to Live (TTL): A field that specifies the number of hops a packet may travel. This number is decreased by one as the packet travels through a router. When the counter reaches zero, the packet is discarded. This prevents packets from looping endlessly.

  • Protocol: 8 bits that indicate which upper-layer protocol, such as TCP or UDP, receives incoming packets after the IP processes have been completed.

  • Header checksum: 16 bits that help ensure IP header integrity.

  • Source address: 32 bits that specify the IP address of the node from which the packet was sent.

  • Destination address: 32 bits that specify the IP address of the node to which the data is sent.

  • Options: Allows IP to support various options such as security. The length of this field varies.

  • Padding: Extra zeros are added to this field to ensure that the IP header is always a multiple of 32 bits.

Data is not a part of the IP header. It contains upper-layer information (TCP or UDP packets) and has a variable length of up to 64 bytes.

If an IP packet needs to go out on an interface that has a MTU (Maximum Transmission Unit) size of less than the size of the IP packet, the Internet Protocol needs to fragment that packet into smaller packets matching the MTU of that interface. If the "Don't Fragment" bit in the Flags field of the IP packet is set to 1 and the packet is larger than the MTU of the interface, the packet will be dropped.

ICMP: Internet Control Message Protocol is a protocol that provides control and messaging capabilities to the Internet Protocol (IP). ICMP is a very important protocol because most of the troubleshooting of IP networks is done by using ICMP messages. The most important aspect of ICMP involves the types of messages that it returns and how to interpret them.

Message Returned

Description / Interpretation

Destination Unreachable

This tells the source host that there is a problem delivering a packet. The problem is that either the destination host is down or its internet connection is down.

Time Exceeded

It has taken too long for a packet to be delivered. The packet has been discarded.

Source Quench

The source is sending data faster than it can be forwarded. This message requests that the sender slow down.


The router sending this message has received some packet for which another router, which is also directly connected to the sender, would have had a better route. The message tells the sender to use the better router.


This is used by the ping command to verify connectivity. The sender will issue an "echo request" message and will receive an "echo reply" from the other host if a path is found between the two.

Parameter Problem

This is used to identify a parameter that is incorrect.


This is used to measure roundtrip time to particular hosts.

Address Mask Request/Reply

This is used to inquire about and learn the correct subnet mask to be used.

Router Advertisement and Selection

This is used to allow hosts to dynamically learn the IP addresses of the routers attached to the subnet.

ARP: Address Resolution Protocol is used to determine MAC addresses for a given IP address.

RARP: Reverse Address Resolution Protocol is used to determine an IP address for a given MAC address.

The TCP/IP Network Access Layer

The network access layer in TCP/IP, also called host-to-network layer, allows IP packets to make physical links to the network media.

As you can notice, ARP and RARP are found at both the Internet and network access layers. Also, you can see that the TCP/IP network access layer contains LAN and WAN technologies that are found at the OSI physical and data link layers.

Network access layer protocols map IP addresses to hardware addresses and encapsulate IP packets into frames. Drivers for network interfaces, modems, and WAN interfaces also operate at the TCP/IP network access layer.

TCP/IP Protocol Suite Summary

To have an overview of the TCP/IP model, take a look at the following diagram:

You have applications that need to reliably transfer data like FTP, HTTP, SMTP, and the zone transfers in DNS that use the TCP protocol, as well as applications that need to use a simpler protocol like TFTP and DNS requests using UDP.

Both TCP and UDP then use IP for end-to-end delivery (routing) and physical interfaces to send the data.

Let's see what the email example we gave with the OSI model looks like with TCP/IP. So, you are in a company LAN and you want to send an email:

Layer 4: You use an email client (like Outlook Express for example) that has SMTP and POP3 functions according to TCP/IP Layer 4 (application). You send the email, formatted in ASCII or HTML. The application then creates a data unit formatted in ASCII or HTML. The email client uses the operating system to open a session for inter-host communication. All those functions are performed at TCP/IP Layer 4 (application).

Layer 3: A TCP socket with the SMTP server is opened by the operating system. A virtual circuit is opened between your computer and the email server using TCP according to TCP/IP Layer 3 (transport).

Layer 2: Your computer searches for the IP address of the SMTP server according to the routing table of the operating system. If it is not found in the routing table, it will forward it to the company router for path determination. The IP protocol is at TCP/IP Layer 2 (Internet).

Layer 1: The IP Packet is transformed to an Ethernet frame. The Ethernet frame is converted to electrical signals that are sent throughout the CAT5 cable. Those functions are performed at TCP/IP Layer 1 (data link).


OSI versus TCP/IP

As it was mentioned before, the OSI model is more of a theoretical model and it is very useful in the learning process. On the other hand, the Internet was built on the TCP/IP model, and so, TCP/IP is the most popular due to its usage and its protocols.

Some similarities between the two models are:

  • Both models are layered models and have the benefits of layered communication models.

  • Both models have application layers, even if they include different services.

  • Both models have transport and network layers that have comparable functionality.

  • Both models use packet-switching technologies instead of circuit-switching.

Some differences between the two models are:

  • TCP/IP combines the three upper layers of the OSI model in a single layer, thus being more oriented towards the transmission protocols.

  • The data link and physical layers from the OSI model are combined in a single layer in the TCP/IP model.

Nowadays, the OSI model doesn't have live applications as TCP/IP does, but it is the starting point of every networking model because of its benefits.

TCP/IP looks simpler because it has fewer layers than the OSI model. However, communication using TCP/IP matches all the layers in the OSI model.

Let's see an example in a TCP/IP network:

A packet originating from host X will get to host Y by traversing routers A, B, and C.

Let's say, for example, that host X is a web server replying to a request originally initiated from host Y.

The HTTPD server (X Layer 7) responds to the request by sending a HTML-formatted page (X Layer 6) to host Y. The server has many requests that it answers at that moment; so the operating system will send the data (the web page) on a session initiated when host Y made the request (X Layer 5). The data is then encapsulated in a TCP segment (X Layer 4). The TCP segment is then encapsulated in an IP packet with the source IP of host X and destination IP of host Y (X Layer 3). Host X looks for host Y in its routing table and doesn't find it; so host X should forward the IP packet to router A, which has an interface on the same subnet with the IP address of an Ethernet card on host X. The IP packet is sent to the Ethernet interface and converted to Ethernet frames (X Layer 2), which are then converted to electric currents and sent through the RJ45 socket of the Ethernet card (X Layer 1).

Router A receives some currents on the cable entering one of its Ethernet interfaces (A Layer 1) and converts these currents to Ethernet frames (A Layer 2). Ethernet frames are then converted to IP packets. The router looks at the destination IP address in the IP packet, and sees that it matches none of its IP addresses; so it knows that it should find a path to host Y. Looking at its routing table, it finds that the best path is advertised by router B and decides to send the IP packet to it (A Layer 3). If router A is connected to router B through a modem, it will convert the IP packet into PPP frames (A Layer 2), and the modem will convert the PPP frames into sounds (A Layer 1).

Routers B and C will do the same thing as router A, except that router C will find host Y directly connected to one of its interfaces (Y has an IP address in the same subnet as one if C's IP addresses), and so it will send the packet directly to Y.

Host Y receives some currents on the cable connected to its Ethernet interface (Y Layer 1), which it will convert to Ethernet frames (Y Layer 2) and then to IP packets (Y Layer 3). It will then look for the destination host in the IP packet that matches one of its IP addresses. The contents of the IP packet are then taken by the TCP protocol (Y Layer 4), which puts the received segments together. The operating system of host Y will handle the data received from TCP to send it on the session that requested this data (Y Layer 5). For example, if host Y has three web browsers opened, the operating system will give the data from TCP to the browser that requested it. The data received is HTML formatted (Y Layer 6); so it will be read by the web browser using the HTML standard. Finally, after all data is received, the web browser will display to the user the web page received (Y Layer 7).


IP Addressing, IP Subnetting, and IP Supernetting

The Internet Protocol (IP) found at OSI Layer 3 is responsible for end-to-end delivery of data between computers in an IP network (the Internet). To find a path between two computers in a large network such as the Internet, computers must be uniquely identified. To do that, the Internet Protocol defines IP Addresses, which are unique 32 bit sequences of one and zeros.

For example, 11000000101010000000000100000001 is a valid IP address. For the ease of use, IP addresses are represented in a form called the dotted decimal format. The 32 bits of the IP address are grouped in 4 bytes delimited by dots and transformed into the decimal form because it is simpler to use decimal number instead long sequences of ones and zeros. For example, the IP address shown here is:











Dotted decimal form


Please note that we will discuss IP version 4 (IPv4). There is also IP version 6 (IPv6), which is intended to replace IPv4 in the future. Because each byte has 8 bits, each byte in the IPv4 address can vary from minimum 0 to maximum 255. This gives us a maximum of 4,294,967,296 IP addresses. The IPv6 protocol extends the number of IP addresses by creating IP addresses 16 bytes long. Since IPv4 is most widely used protocol and it will still be for many years, we will refer to IPv4 addresses in this book.

One device connected to the Internet can have more than one IP address assigned to a single interface. In order for one interface to communicate in an IP network, it must have at least one IP address. Two hosts that have the same IP address in the same network will conflict with each other, and only one or none of them will work on the Internet.

Obtaining an IP Address

An IP address can be statically configured on a device, by assigning an interface a fixed IP address in the dotted decimal format. This way, that host has a static IP address, and will use it until the user changes it.

Servers, routers, and network printers should be assigned static IP addresses. Also, if a network is small, statically assigning IP addresses doesn't make it difficult for the administrator to keep track of computers.

A computer connecting to the Internet by using a modem usually receives an IP address from the access server that it dials into. The Point to Point Protocol (PPP) is used in such cases, and IPCP (Internet Protocol Control Protocol) is responsible for IP address negotiation and can also provide DNS and WINS addresses.

The most popular protocol for dynamic IP address configuration these days is DHCP (Dynamic Host Configuration Protocol). Configuring a DHCP involves a few simple tasks like specifying a range of IP addresses that can be assigned to clients, DNS servers, and the default gateway for the clients. This is very simple to set up when administering a large LAN, because you don't have to set up static IP addresses on each computer. The DHCP server does all the work.

The predecessor of DHCP is the Bootstrap Protocol (BOOTP). BOOTP, however, was not made to provide IP addresses dynamically; so, for every host in the network, an entry containing the IP address and MAC address of that host is added in the configuration file. You still have to provide computers static IP addresses, but, using BOOTP, instead of setting those up manually on the computers, you set them in a file on the server.

The Reverse Address Resolution Protocol (RARP) can be also used to assign IP addresses. RARP associates a known MAC address to an IP address. A RARP server must be configured with the MAC addresses of the stations using RARP and IP addresses for those stations.


Please note that MAC addresses are Layer 2 addresses that make sense only in the local network. Routers will not forward these outside the LAN.

IP Classes

An IP address has two parts: one that specifies the network that it is in, and one that uniquely identifies it in that network. The first part is called the network part of the IP address, and the second part is called the host part of the IP address.

To identify the two parts of an IP address, devices use a network mask. Network masks have the same format as IP addresses (32 bits) and have the bits in the network part of the IP address set to 1 and the bits in the host part set to 0.

For example, if we find computers from to on a network, it means that all computers have the network part 192.168.1, and the rest will be the host part. The network mask in this case will be 11111111111111111111111100000000 in binary, and in dotted decimal form.

To accommodate different sized networks, IP addresses are divided in groups called classes, identified by the leftmost bit or sequence of bits. The classes are called A, B, C, D, and E, and this process is called classful addressing.


Leftmost bits

Start Address

End Address











Class A was designed to accommodate very large networks, with more than 16 million hosts. The first bit in a class A IP address must be 0; so the minimum value of the first byte is 0 and the maximum is 127. However, 0 and 127 are reserved; so valid class A IP addresses start with numbers between 1 and 126. The network is used for loopback testing, and it is used by devices to communicate with themselves using TCP/IP. A loopback interface is a virtual interface that emulates the TCP/IP network access layer or OSI Layers 1 and 2.

Class B addresses accommodate medium to large networks. The first two bits in the first byte of the IP address must be 10; so the first byte is between 128 and 191 in decimal. A valid class B IP address starts with a number between 128 and 191.

Class C addresses accommodate small networks with a maximum of 254 hosts. The first three bits in the first byte of a class C IP address must be 110; so the first byte must have its decimal value between 192 and 223. A valid class C IP address starts with a number between 192 and 223.

Class D addresses were created to enable multicasting in IP networks. Multicasting is a process in which you define a number of IP addresses from a network that will receive a data stream from a streaming source. Multicasting is used mainly for broadcasting video and audio over an IP network. A streaming device such as a video server can multicast a data stream that will be received by some computers, not necessarily all (like broadcast) and not individually (like multicast). Class D IP addresses must have the first four bits in the first byte 1110; so a valid class D IP address may start with a value between 224 and 239 in the dotted decimal format.

Class E addresses have not been released for the public use in the Internet. They have been defined and are reserved by the Internet Engineering Task Force (IETF) for its own research. Class E IP addresses must have the first four bits 1111; so a class E IP address can start with a value between 240 and 255.

Reserved IP Addresses

An IP network has two IP addresses that can't be used by any device connected to the network. These are the first and the last IP addresses in that network.

  • The Network Address: The first IP in the network. It identifies the network itself and is the most relevant IP address for devices outside the network. For example, for the class C, the first IP address is, which is the network address for that class C. Devices outside this network must first "find" the network, meaning that IP packets must be routed towards the network, and only after that is the host part of the IP address relevant. The first IP address in the network always has all the bits in the host part of the IP address 0.

  • The Broadcast Address: The last IP in the network. It is used to broadcast packets to all devices in that network. For example, for the class C, the broadcast address is A host that sends an IP packet with the destination IP address is sending a broadcast to the network; so all devices receive that IP packet. Broadcasts are used to make the network aware of some services on the broadcasting device or to request a service from a device without knowing its IP address. Broadcast addresses always have the bits in the host part 1.

Public and Private IP Addresses

The Internet is a public network, and therefore a device connected directly to the Internet has a public IP address. Those IP addresses must be administered by someone in such way that two devices connected to the public network don't use the same IP address or that two networks don't have the same network address. This job was done by InterNIC (Internet Network Information Center), which has been succeeded by IANA (Internet Assigned Numbers Authority). IANA makes sure to provide unique IP network addresses to Internet Service Providers (ISPs) and keeps track of their usage.

Both IPv4 and IPv6 addresses are assigned in a delegated manner. Users are assigned IP addresses by ISPs. ISPs obtain allocations of IP addresses from a local Internet registry (LIR) or national Internet registry (NIR), or from their appropriate regional Internet Registry (RIR):

A local area network connected to the Internet through a router doesn't always need public IP addresses for all the devices in that network. The devices will use local IP addresses, and when going outside the network, the router can do Network Address Translation (NAT), a process that translates the local IP address of the device into one IP address that is actually routed on the Internet to that router. NAT will be explained in greater detail later in this book.

NAT must be done by using private IP addresses that are not routed anywhere on the Internet. If we didn't have private IP addresses when using NAT, devices behind NAT could access any public IP address, except those within the same subnet as the ones used for the network behind NAT.

For example, a network administrator decides to use for a local network the class C IP address, which the router will translate into its own IP address whenever a device will access the Internet. This way, everything works fine, except one thing: no devices in the local network will be able to access, for example,, which has the IP address, because they will search for that IP address in the local network. In fact, no device in the local network will be able to access any devices in the Internet that have public addresses assigned by IANA within the class C network

To address this problem, IANA has reserved several IP classes that can't be used in the public network, meaning that they will not be routed in the Internet. These IP classes are described by RFC 1918 as private IP addresses that should be used in private networks. They are:

  • to class A IP addresses

  • to class B IP addresses

  • to class C IP addresses

By using these private IP addresses for local networks (intranets) connected to the Internet, the number of public IP addresses needed for devices accessing the public network decreases a lot. If a company has two local networks connected to the Internet in geographically distanced locations without a separate connection between those two networks, it doesn't have to use public IP addresses for the devices in each network. Instead, both networks can communicate by creating a virtual connection over the Internet, thus creating a VPN (Virtual Private Network), which will be discussed later in this book.


Since private IP addresses are not routed by any ISP, a company with two geographically distanced locations that have internet connections from different providers can't access one network from the other directly. In this case, they can create a virtual connection between the two locations and add routes to the public IP addresses in those locations only on their routers. This creates the advantage that both private networks can access the Internet and each other, but other hosts from the Internet can't access them. This is called a VPN (Virtual Private Network).

IP Subnetting

Subnetting is the process in which you break a network into smaller pieces. This can be done for a variety of reasons. For example, a company having department LANs connected to different interfaces in a router or in different VLANs in a switch can't use the same network part and the same mask for devices in all departments because they would not communicate with each other.

Using different IP network addresses for devices in different LANs within the same company is not recommended because of the large number of IP addresses that might be wasted in the process.

Subnetting is done by choosing an appropriate mask, called a subnet mask or NetMask to define the number of hosts in that network. The network address of a subnet can be a valid IP address from the subnetted network that devices will no longer be able to use. By subnetting, you lose some usable IP addresses (two for each subnet).

The Subnet Mask

The subnet mask is a 32 bit sequence of zeros and ones, just like the IP address. The subnet mask has all the bits in the network part of the IP address set to 1, and all the bits in the host part of the IP address set to 0. The subnet mask works like the network mask (it's basically the same thing), except that the subnet mask borrows some bits from the host part to identify the subnet.

Let's say the IP address is in the class C network; so, it has the mask The company has two different departments, and they are both in the same network, but it is required that they should be on different networks. When assigning IP addresses, the network administrator used to assign IP addresses ascending, starting with to department A and descending starting from to department B, and so decided to divide this class C network into two subnets, each containing 128 addresses. Those subnets will be and

Initially, we would have:



In order to break the class C network in two subnets, we need to borrow one bit from the host part of the IP address for the network part, so we will have the subnet mask:


The first bit in the last byte of the subnet mask is called a "borrowed bit". The logic is pretty simple and it's based on Boolean logic. A device with IP capabilities does a logical AND between the subnet mask and the IP address to find out the network this IP address belongs to.

For example, for with the subnet mask of, a device does the following operation:

11000000.10101000.00000001.10000010      AND
11111111.11111111.11111111.10000000      EQUALS
11000000.10101000.00000001.10000000   = 

This way it finds out that the IP address having the subnet mask is in the subnet

For having the subnet mask, the logical AND will be:

11000000.10101000.00000001.00000010      AND
11111111.11111111.11111111.10000000      EQUALS
11000000.10101000.00000001.00000000   = 

So the address is in the subnet

By performing a logical AND of all IP addresses in the class C with the subnet mask, the results can only be or This way, we divide the class C network in two.

Before dividing the class C network, we had the broadcast address Now, the last IP address from every subnet becomes the broadcast address for that subnet. The first subnet will have as a broadcast address, and the second will have as a broadcast address. By dividing this class C in two, we lost two possible host IP addresses— (first subnet's broadcast) and (second subnet's network).

Everything Divided in Two

If we need four subnets in that class C network, we do the same thing to the subnet mask. This means we will borrow one bit from the host part of the IP address and add it to the subnet mask, and so we will be borrowing two bits from the class C mask:

11111111.11111111.11111111.11000000	=

By performing a logical AND with any IP address starting with 192.168.1, we will have four possible values for the last byte:

00000000	=	0
01000000	=	64
10000000	=	128
11000000	=	192

So we have created four subnets:,,, and

We can divide those subnets in another two subnets, and so on.

The rule with the first and the last address of the subnet as being reserved still applies here; so, the first IP address in the subnet is the network address (to identify the subnet) and the last possible address in a subnet is used for broadcast. For the example we just saw, we have:

Usable IP addresses

Network Address

Broadcast Address to to to to

If the class C network is subneted as in the example, the host having the IP address and the subnet mask will send the broadcasts to the IP address, and only the devices having IP addresses in the same subnet will receive those broadcasts.


For a subnet mask to be valid, it must have a host part, meaning it cannot borrow all the bits in the last byte. At least the last bit must be 0; so the last valid subnet mask is: 11111111.11111111.11111110 = However, a subnet with the subnet mask has only two possible IP addresses, and by using one for broadcast and one for network address, there are no usable IP addresses in that subnet!

For a class C network, the valid subnets are:

11111111.11111111.11111111.10000000 =
11111111.11111111.11111111.11000000 =
11111111.11111111.11111111.11100000 =
11111111.11111111.11111111.11110000 =
11111111.11111111.11111111.11111000 =
11111111.11111111.11111111.11111100 =

The smallest number of usable IP addresses in a subnet is two, given by the subnet mask, which has four IP addresses in that network (one for network, one for broadcast, and two usable IP addresses).

A Different Approach

Thinking in binary is not always that simple, but that is the process that devices using IP communication use to calculate things. A simple logic in decimal would be like this:

A class C network has 256 IP addresses (from 0 to 255). I need to create four subnets in that class C, and so, each subnet will have (256 / 4 =) 64 IP addresses (only 62 usable for devices). The last byte (in decimal) for the subnet mask will be (256 – 64 =) 192, and so, I get the subnet mask, and subnets,,, and

The trick for subneting class C networks is to subtract the number of hosts that you want in that subnet from 256 and you get the subnet mask. Please remember that the number of hosts in that subnet must be a power of 2. For 16 addresses in a subnet, you will use the subnet mask (256 – 16 = 240).

To subnet a class B network, if you don't want to use the binary logic, you can still use this procedure by working on the third byte of the subnet mask. For example, a full class B network has 256 * 256 IP addresses. If I want to use 16 * 256 IP addresses in a subnet, I will use for the third byte of the subnet mask the value 256 – 16 = 240, so I will have a subnet mask of

IP Supernetting or CIDR

CIDR stands for "Classless Inter-Domain Routing". It is a new addressing scheme for the Internet, intended to replace the old classful (Class A, B, C) address scheme. CIDR allows a more efficient allocation of IP addresses and uses routing aggregation for minimizing the routing table entries, and is also called supernetting .

A recapitulation of classful IP addressing shows us the following:

Address Class

Number of Network Bits

Number of Hosts Bits

Decimal Address Range

Class A

8 bits

24 bits


Class B

16 bits

16 bits


Class C

24 bits

8 bits


  • 126 class A networks with up to 16,777,214 hosts each

  • 65,000 class B networks with up to 65,534 hosts each

  • Over 2 million class C networks with 254 hosts each

If a provider needed 10,000 IP addresses for a project, then it would receive a class B network, and 55,534 IP addresses would not be used. If however, the provider had been assigned 40 class C networks for that 10,000 IP addresses, it could not match its needs (not all the IP addresses would be in the same network) and the routing tables of routers on the Internet would grow with 40 new routes.

CIDR is an addressing scheme that supports masks not only of 8, 16, or 24 bits as in classful routing but of arbitrary length. The CIDR notation is:

where is the IP address of the network and "n" is the number of '1' bits in the mask. For example, the class C network with the mask is written in CIDR as

The CIDR masks for classes A, B, and C respectively are /8, /16, and /24.

For the earlier example with the provider requesting 10,000 IP addresses, with CIDR the provider would be assigned a network having a mask of /18, meaning the subnet mask would be with 16,382 usable IP addresses and only one prefix in all the routing tables in the world.

Nowadays, providers are assigned large blocks of addresses that their customers can buy instead of every customer having different IP classes. For example, the provider that was assigned a /18 network can give 64 of its customers a class C IP class (a /24). This is called aggregation, and it significantly reduces the size of the routing tables on the Internet.

Let's have a look at the CIDR prefixes down to /16 (class B):

CIDR Prefix

Subnet Mask

Number of IP Addresses


/32 is used in CIDR to specify a single host or IP address. If the prefix is missing, /32 is assumed
































How the Internet Works

Large providers are assigned large IP blocks for them and for their customers. When accessing an IP address outside the provider's network, the data must travel through certain routers to get to the destination IP. The Internet Protocol is responsible for routing the packet to the destination.

Providers have some large, carrier-class routers located at the edge of their network where they interconnect to other providers. Every provider that has at least two interconnections with two different other providers must have an Autonomous System (AS) number to be identified in the exchange of routing information.

All the Internet is based on BGP (Border Gateway Protocol), which is a dynamic routing protocol used to exchange information between providers about the networks they have.

A provider having the Autonomous System number 1 (AS 1) has two interconnections: one with AS 2 and another with AS 3. Depending on the agreement between the providers, AS 1 can route to either of them only their own networks (Local Exchange or Local Peerings), or it can announce all the routes received from other peers (Full Exchange or Full BGP).

AS 3 can receive the routes to AS 1 networks directly from AS 1, and can also receive them from AS 2 and AS 4. The router finds the best path to AS 1 networks and sends packets to those networks on that path, and if that link fails, on the next best path. (e.g. AS 3 sends the packets to AS 1 directly on their interconnection. If that link fails, it will send them to AS 2, which will forward the packets to AS 1.)



In this chapter, we saw that:

  • Layered models for networking communication allow interoperability, ease of use, and a faster growth of the Internet.

  • The TCP/IP model is the most popular model, but the OSI model is used as a reference in network communication. For example, TCP, which is at TCP/IP Layer 3, is referred to as a Layer 4 protocol.

  • TCP is a connection-oriented and reliable protocol that implements flow-control, while UDP is much simpler, and provides connectionless, unreliable delivery of packets.

  • IP classes A, B, C, D, and E were defined.

  • Subnetting is a process to divide an IP class into smaller pieces by borrowing bits from the host part of the IP address to the network part.

  • CIDR or IP supernetting is an IP addressing scheme that allows a more efficient management of IP addresses and aggregation for reducing the size of routing tables.

  • Providers exchange routing information using the Border Gateway Protocol, thus making the Internet work.

About the Author

  • Lucian Gheorghe

    Lucian Gheorghe has just joined the Global NOC of Interoute, Europe's largest voice and data network provider. Before Interoute, he was working as a senior network engineer for Globtel Internet, a significant Internet and Telephony Services Provider to the Romanian market He has been working with Linux for more than 8 years putting a strong accent on security for protecting vital data from hackers and ensuring good quality services for internet customers. Moving to VoIP services he had to focus even more on security as sensitive billing data is most often stored on servers with public IP addresses. He has been studying QoS implementations on Linux to build different types of services for IP customers and also to deliver good quality for them and for VoIP over the public internet. Lucian has also been programming with Perl, PHP and Smarty for over 5 years mostly developing in-house management interfaces for IP and VoIP services.

    Browse publications by this author

Latest Reviews

(1 reviews total)
My hope was to get l7-filter to work on an up-to-date Linux with the help of this book. I failed, but this was more due to the rather poorly maintained l7-filter code and less because of the description in the book. Actually this was the only book that covers l7-filter that I could find on Amazon. So, I think the author did a great job - and he helped me to figure out that I'm on the wrong path.