Master TCP/IP, Routing, and Firewall Techniques for Advanced Ops Engineers

1. TCP/IP Protocol Stack: The Network Foundation for Ops

1.1 Why TCP/IP Matters?

Imagine handling a production network outage where users report slow site access and logs show many connection resets; without understanding TCP/IP you are like a surgeon without anatomy knowledge.

The TCP/IP stack has four layers, each with distinct responsibilities:

Application Layer : HTTP, HTTPS, SSH, FTP and others operate here. Ops must know characteristics such as HTTP/1.1 long‑connection exhaustion versus HTTP/2 multiplexing benefits.

Transport Layer : TCP provides reliable delivery but its three‑way handshake and four‑way termination can become performance bottlenecks. For example, a large‑scale sale caused many TIME_WAIT sockets, solved by tuning tcp_tw_reuse and tcp_tw_recycle.

Network Layer : IP handles addressing and routing. TTL helps diagnose loops; fragmentation can affect performance.

Link Layer : Although less frequently touched by ops, concepts like ARP and MAC addresses aid fault isolation.

1.2 TCP Connection Management Practices

Case: an API server stopped accepting new requests despite normal CPU/memory. Using netstat -nat | awk '{print $6}' | sort | uniq -c | sort -rn revealed excessive TIME_WAIT sockets.

32768 TIME_WAIT
1024 ESTABLISHED
256 SYN_RECV
64 CLOSE_WAIT

Solutions include:

Optimize kernel parameters :

# Allow TIME_WAIT reuse
echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
# Adjust TIME_WAIT timeout
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Expand local port range
echo "1024 65535" > /proc/sys/net/ipv4/ip_local_port_range

Application layer optimization : enable HTTP keep‑alive, use connection pools, implement graceful shutdown.

Architecture optimization : introduce load balancers to distribute connection load.

1.3 UDP Use Cases

UDP is essential for DNS queries, log shipping (rsyslog), and real‑time media. Common UDP issues:

Packet loss : increase receive buffers.

echo 26214400 > /proc/sys/net/core/rmem_max
echo 26214400 > /proc/sys/net/core/rmem_default

Firewall traversal : UDP is connection‑less, requiring explicit firewall rules.

2. Routing Configuration in Practice

2.1 Static vs Dynamic Routing

Small networks often use static routes; larger environments need dynamic protocols.

Static routing example :

# Add route to specific network
ip route add 192.168.100.0/24 via 10.0.0.1 dev eth0
# Default route
ip route add default via 10.0.0.1
# Host route
ip route add 192.168.1.100/32 via 10.0.0.2
# Persist on CentOS/RHEL
echo "192.168.100.0/24 via 10.0.0.1 dev eth0" >> /etc/sysconfig/network-scripts/route-eth0

Dynamic routing considerations :

OSPF for enterprise LANs – fast convergence.

BGP for internet‑scale routing – complex but powerful.

RIP for very small networks – simple but limited scalability.

2.2 Advanced Policy Routing

Policy routing selects routes based on source address, port, or protocol, useful in multi‑ISP setups.

Example: direct video traffic (ports 80/443) through a high‑bandwidth ISP while other traffic uses a stable link.

# Create routing tables
echo "100 video" >> /etc/iproute2/rt_tables
echo "200 normal" >> /etc/iproute2/rt_tables
# Add default routes for each table
ip route add default via 10.0.1.1 table video
ip route add default via 10.0.2.1 table normal
# Rules for video ports
ip rule add dport 80 table video
ip rule add dport 443 table video
# Other traffic
ip rule add from all table normal

2.3 Routing Troubleshooting

Key commands for fast diagnosis:

# Show routing table
ip route show
# Trace route
traceroute -n 8.8.8.8
# Query specific destination
ip route get 192.168.1.1
# Monitor routing changes
ip monitor route
# Show policy rules
ip rule show
# View a specific table
ip route show table video
# Combined ping/traceroute
mtr --report --report-cycles 100 google.com

3. Firewall Policy Design

3.1 Deep Dive into iptables

iptables works on Netfilter with multiple tables and chains.

Tables : filter, nat, mangle, raw.

Chains : INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING.

Rule order : top‑down, first match stops processing.

3.2 Practical Firewall Rules

#!/bin/bash
# Flush existing rules
iptables -F
iptables -X
iptables -Z
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow established/related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SYN flood protection
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
# SSH limited to specific subnet
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH_DENIED: "
iptables -A INPUT -p tcp --dport 22 -j DROP
# Web services (80/443) with rate limits
iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
# MySQL only from internal network
iptables -A INPUT -p tcp --dport 3306 -s 192.168.0.0/16 -j ACCEPT
# ICMP rate limiting
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Log dropped packets
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 4
# NAT if server acts as gateway
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
# Port forwarding example
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80

3.3 Performance Optimizations

Use ipset for large IP blacklists:

# Create blacklist set
ipset create blacklist hash:ip
ipset add blacklist 1.2.3.4
ipset add blacklist 5.6.7.8
# Apply in iptables
iptables -A INPUT -m set --match-set blacklist src -j DROP

Adjust conntrack table size:

echo 524288 > /proc/sys/net/netfilter/nf_conntrack_max
cat /proc/net/nf_conntrack | wc -l

Place most‑matched rules first to reduce traversal.

3.4 nftables as Next‑Gen Firewall

#!/usr/sbin/nft -f
flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        iif lo accept
        ct state established,related accept
        tcp dport 22 ip saddr 10.0.0.0/8 accept
        tcp dport { 80, 443 } accept
        icmp type echo-request limit rate 1/second accept
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
    }
    chain output {
        type filter hook output priority 0; policy accept;
    }
}

4. Real‑World Case Studies

4.1 Case: Mysterious Network Latency

Problem : Users experienced slow page loads while CPU and memory were normal.

Investigation :

tcpdump captured many TCP retransmissions.

Routing table inspection revealed a loop.

An incorrect static route caused packets to circulate between two routers.

Fix :

# Delete wrong route
ip route del 10.0.0.0/8 via 192.168.1.254
# Add correct route
ip route add 10.0.0.0/8 via 192.168.1.1
# Add monitoring script to prevent recurrence
*/5 * * * * /usr/local/bin/check_route_loop.sh

4.2 Case: Firewall Rules Causing DB Timeouts

Problem : Intermittent database connection timeouts from application servers.

Investigation :

Firewall logs showed dropped packets.

Conntrack table was full, rejecting new connections.

Long‑lived connections kept many entries.

Solution :

# Increase conntrack table size
echo 1048576 > /proc/sys/net/netfilter/nf_conntrack_max
# Reduce timeout for established TCP connections
echo 3600 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
# Disable tracking for MySQL traffic
iptables -t raw -A PREROUTING -p tcp --dport 3306 -j NOTRACK
iptables -t raw -A OUTPUT -p tcp --sport 3306 -j NOTRACK

5. Monitoring and Automation

5.1 Network Monitoring Metrics

# Interface statistics
watch -n 1 'ip -s link show eth0'
# TCP connection summary
ss -s
# Real‑time traffic monitoring
iftop -i eth0
# Conntrack statistics
conntrack -S

5.2 Automation Script Example (Python)

#!/usr/bin/env python3
import subprocess, json, time
from datetime import datetime

def check_route_health():
    critical_routes = ["10.0.0.0/8", "192.168.0.0/16", "default"]
    for route in critical_routes:
        cmd = f"ip route get {route.split('/')[0]}"
        result = subprocess.run(cmd.split(), capture_output=True, text=True)
        if result.returncode != 0:
            alert(f"Route check failed for {route}")

def check_firewall_rules():
    cmd = "iptables -L -n | wc -l"
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    rule_count = int(result.stdout.strip())
    if rule_count < 20:
        alert("Firewall rules might be cleared!")
    elif rule_count > 1000:
        alert("Too many firewall rules, performance impact possible!")

def monitor_connections():
    cmd = "ss -tan | grep -v State | awk '{print $1}' | sort | uniq -c"
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    for line in result.stdout.strip().split('
'):
        count, state = line.strip().split()
        count = int(count)
        if state == "TIME-WAIT" and count > 10000:
            alert(f"High TIME_WAIT connections: {count}")
        elif state == "CLOSE-WAIT" and count > 1000:
            alert(f"High CLOSE_WAIT connections: {count}")

def alert(message):
    timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
    print(f"[{timestamp}] ALERT: {message}")

if __name__ == "__main__":
    while True:
        check_route_health()
        check_firewall_rules()
        monitor_connections()
        time.sleep(60)

6. Kernel and NIC Tuning for Performance

6.1 Kernel Parameters

# /etc/sysctl.d/network-tuning.conf
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 30
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 8192
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 87380 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = fq
sysctl -p /etc/sysctl.d/network-tuning.conf

6.2 NIC Optimization

# Enable multiple queues
ethtool -L eth0 combined 8
# Increase ring buffers
ethtool -G eth0 rx 4096 tx 4096
# Turn on offload features
ethtool -K eth0 gso on gro on tso on
# Bind IRQ to specific CPU core
echo 2 > /proc/irq/24/smp_affinity

7. Future Trends: eBPF and Intelligent Networking

7.1 eBPF – Next‑Gen Network Tool

#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/tcp.h>

SEC("socket")
int count_tcp_packets(struct __sk_buff *skb) {
    void *data = (void *)(long)skb->data;
    void *data_end = (void *)(long)skb->data_end;
    struct ethhdr *eth = data;
    if ((void *)(eth + 1) > data_end)
        return 0;
    if (eth->h_proto != htons(ETH_P_IP))
        return 0;
    struct iphdr *ip = (void *)(eth + 1);
    if ((void *)(ip + 1) > data_end)
        return 0;
    if (ip->protocol == IPPROTO_TCP) {
        __sync_fetch_and_add(&tcp_count, 1);
    }
    return 0;
}

7.2 SDN and Network Automation

Software‑Defined Networking separates the control plane (e.g., OpenFlow) from the data plane, allowing Python SDKs to programmatically adjust traffic flows and implement dynamic load balancing.

Conclusion

Understanding TCP/IP, routing, and firewall fundamentals equips operations engineers to diagnose complex issues quickly, design robust architectures, and stay ahead with emerging technologies like eBPF and SDN.