The components of a computer, the CPU, network connection, memory, etc have only two states that they understand when it comes to data. These are 1's and 0's (or on and off, as some say)
This is the makings of a number system. If you're reading this I'm suspecting that you understand how to count to twenty using the following numbers 0,1,2,3,4,5,6,7,8,9 (or to pretty much any other number for that matter) each of the numbers there are simply symbols that we use to represent the concept of a number. We have developed abstract rules on how to create any number using these simple building blocks. So when you've used all of the available numbers on the first line (i.e. reached number 9) you increment the second line, and reset the first line (i.e. 10) This is the Decimal Number System. Or Base 10 (as it uses 10 symbols as its base)
Binary is a Base 2 number system and it all works very similar to a base 10 system. You use all the numbers available on the first line, increment the second line, then reset the first. However since we've only got two symbols to play with, this all happens rather quicker. Counting to ten in binary would look this.
0 = 0
1 = 1
2 = 10
3 = 11
4 = 100
5 = 101
6 = 110
7 = 111
8 = 1000
9 = 1001
10 = 1010
While we are on the subject there is also a base 16 number system, called hex (contraction of hexadecimal for the pedants here) which has the same rules, but uses the following symbols. 0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f so counting to twenty would look like this
0 = 0
1 = 1
2 = 2
3 = 3
4 = 4
5 = 5
6 = 6
7 = 7
8 = 8
9 = 9
10 = a
11 = b
12 = c
13 = d
14 = e
15 = f
16 = 10
17 = 11
18 = 12
19 = 13
20 = 14
So what has all that got to do with anything at all? Well I'm glad you asked.
We've all seen an IP address such as 192.168.0.1 and a subnet mask such as 255.255.255.0 that IP address contains two components, the network address (192.168.0) and the host address (1)
A computer performs operations on IP addresses by converting them into binary first. So 192.168.0.1 will look like this.
And the subnet mask 255.255.255.0 will look like this
We've all heard ideas such as routing NAT bridging etc. and perhaps never entirely grasped the significance of what is occurring. Well if you look carefully at the subnet mask you will see that all of the 1s are together on the left hand side. A computer uses these 1s to determine the network the machine is on and takes the rest as it's host address. It will compare the subnet mask, with the IP Address to determine where it's network address ends and where its host address begins.
Let's use an analogy to explain this properly. Imagine a street with some houses on, you live in one of the houses – number 1 lets say – you want to send a letter to a friend, so you write a letter, put it in an envelope, then you look at the address on the envelope and realise that they live on the same street as you. You look a little closer and realise they live at number 2, so you wander round and put it through their letter box (in computers there is actually a process for finding where number 2 is – called arp – but we'll leave that for another day)
The problem with this is that a computer can only hand deliver messages to machines with the same network address as itself. So if the computer you want to talk to resides on a different address you need to find a computer on the network that you want to talk to, to deliver your message for you.
So in this scenario you write your letter, stick it in an envelope then wander round to the post office, give it to them and let them worry about the logistics of getting your letter to its destination. However before you can do this, you need to know the address of your post office this is what your default gateway address is for, it is the default post office to use for all mail destined for different streets than yours. But what if your friend lives on a street that the default post office doesn't know about? For this you would have a routing table that you would inspect before you send the mail. Which is simply a list of street names and corresponding post offices for those streets. The logic of it works something like this.
The internet is made up of millions of separate networks. All with routers in between them to send packets to their eventual destinations. These routers can be host to massive routing tables – especially those at the network cores in places like telehouse, mae-west, mae-east – so perhaps you're asking why do we make it all so complicated why not just have a single large network where everything can talk to whoever it wants? Well the answer is that this model provides a massively scaleable system. There is often a lot of data that is destined for all hosts on a single network. These packets are called broadcasts packets and are sent to a special host address on the network. That host being all ones in the binary representation. So in our address 192.168.0.255 would be the broadcast address. All computers broadcast to the network if there are too many machines on a single network there ends up being so much broadcast traffic that nothing else can get through and your network grinds to a halt.
all addresses on the internet must be unique, just like every street address is unique in the world. But this can present problems when it comes to addressing private networks as these addresses tend to change around a lot, it would cause problems if all IP addresses needed to be unique. So a set of three blocks of addresses were setup that could be used as private address ranges. These addresses cannot be routed to across the public internet, and most of the routers on the internet will drop packets addressed to them. These addresses are
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
These addresses can use any subnet mask you desire. But they were originally designated as
10.x.x.x – 255.0.0.0
172.16.x.x - 255.255.0.0
192.168.0.x – 255.255.255.0
(if you've been paying attention you'll be able to figure out what's happening there!)
Now we'll get onto something a little more complex, TCP/IP Ports every application that performs a service on a computer over the network, will listen for connections on a TCP port each port has its own specific use (although this default behaviour can be altered). So for instance HTTP will listen on port 80 for web requests, SMTP (a mail protocol) will listen on port 25, and so on and so forth.
If we get back to our analogy, imagine that every house on the street is actually a tower block with 65536 floors. Each one of these floors has a single occupant. When a letter comes to an address it does not just come to a house number, it also needs to specify which floor (port number) it is being delivered to. Only one service can be offered on a single port number.
what does a firewall do
A firewall is a postmaster in a bad mood, looks at the letters coming into the post office and bins the ones that he doesn't like. Specifically any address and port that hasn't explicitly set a rule to say that it will take a message will have its mail thrown away. This way you can offer a service on the inside of a firewall that will not be accessible from outside the firewall because the packets that are destined for that service will never actually get there because the firewall (post office) will drop the packets before they enter the network.
What is NAT
Nat is like a PO box for the internet, it hangs out on the front address of the post office's address, and allows you to use a private IP address inside a network but still have conversations with machines that have real IP addresses. When you send a message out of your network the post office will take it out of the envelope, put it into a new envelope with a different reply address – the reply address of the post office instead of your local network address – it will then mark your address and the conversation id (think that most letters will get some sort of response and that response will be responded to, and so on, and so forth, this is a conversation)
However sometimes protocols hide the destination address inside the protocol (letter) as well, so in this case special rules need to be created to read the contents of the packets to determine if a protocol has put an IP address inside the packet data. However this only happens on an application by application level, so each application needs its own bit of code to modify packets if they are to cross a nat router successfully.
Port forwarding is kind of like NAT, but it allows an address in one network to accept traffic that is being sent from a different network. Addresses and ports at the post office will have a forwarding rule set up, so that when a packet comes to a specified floor on one network, it will be sent to a different address on a different network the floor can also be changed if required, but for the most part the ports are left as they are.
Port forwarding is kind of like NAT, and is usually found alongside a NAT router (in fact I can't think of a possible scenario when port forwarding would be used without NAT) but it allows an address in one network to accept traffic that is being sent from a different network. Addresses and ports in one network can be forwarded to a different address in a different network. (the machine doing the forwarding would normally have an address in both networks. Although there is no reason why a forwarded packet cannot be routed through a network like any other packet.