Saturday, December 20, 2025

Networking is the backbone of modern infrastructure and DevOps.

Linux Networking - DevOps Infrastructure Guide

Linux Networking

Published: December 2023 | Topic: Network Configuration & Security for DevOps

Networking is the backbone of modern infrastructure and DevOps. Understanding Linux networking enables you to configure servers, secure communications, troubleshoot connectivity issues, and automate network operations across your infrastructure.

Why Networking Matters for DevOps

Mastering Linux networking provides:

  • Service Connectivity: Ensure applications can communicate internally and externally
  • Security: Implement firewalls and secure access controls
  • Automation: Script network configurations for consistent deployments
  • Troubleshooting: Quickly diagnose and resolve network issues
  • Performance: Optimize network settings for better throughput
  • Monitoring: Track network traffic and identify bottlenecks
  • Compliance: Meet security standards and audit requirements

Linux Network Stack

Application
HTTP, SSH, DNS
Transport
TCP UDP
Network
IP ICMP
Link
Ethernet, WiFi

1. Network Configuration Files

Understanding Network Configuration

Linux network configuration is managed through various files that define interfaces, IP addresses, routing, and DNS settings. These files differ between distributions.

Key Network Configuration Locations

  • /etc/network/ - Debian/Ubuntu network configuration
  • /etc/sysconfig/network-scripts/ - RHEL/CentOS interface configs
  • /etc/netplan/ - Ubuntu 18.04+ network configuration
  • /etc/systemd/network/ - systemd-networkd configurations
  • /etc/hosts - Local hostname to IP mappings
  • /etc/resolv.conf - DNS resolver configuration
  • /etc/nsswitch.conf - Name service switch configuration

Debian/Ubuntu Network Configuration

Traditional (ifupdown)

# /etc/network/interfaces
# Static IP configuration
auto eth0
iface eth0 inet static
    address 192.168.1.100
    netmask 255.255.255.0
    gateway 192.168.1.1
    dns-nameservers 8.8.8.8 8.8.4.4

# DHCP configuration
auto eth0
iface eth0 inet dhcp

# Apply changes
$ sudo systemctl restart networking

Modern (Netplan - Ubuntu 18.04+)

# /etc/netplan/01-netcfg.yaml
network:
  version: 2
  ethernets:
    ens33:
      dhcp4: false
      addresses: [192.168.1.100/24]
      gateway4: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]

# Apply configuration
$ sudo netplan apply

# Generate config from current state
$ sudo netplan generate

# Debug configuration
$ sudo netplan --debug apply

RHEL/CentOS Network Configuration

Traditional Network Scripts (RHEL/CentOS 7)

# /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.1.100
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DNS1=8.8.8.8
DNS2=8.8.4.4

# For DHCP:
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes

# Restart network service
$ sudo systemctl restart network

Modern (NetworkManager - RHEL/CentOS 8+)

# Using nmcli (NetworkManager CLI)
# Add connection with static IP
$ sudo nmcli con add type ethernet con-name eth0-static ifname eth0 \
    ipv4.addresses 192.168.1.100/24 \
    ipv4.gateway 192.168.1.1 \
    ipv4.dns "8.8.8.8 8.8.4.4" \
    ipv4.method manual

# Add DHCP connection
$ sudo nmcli con add type ethernet con-name eth0-dhcp ifname eth0

# Show connections
$ nmcli con show

# Show devices
$ nmcli dev status

Essential Network Configuration Files

File Purpose Example Content Distribution
/etc/hosts Local hostname resolution 127.0.0.1 localhost
192.168.1.10 server1		 All
/etc/resolv.conf DNS resolver configuration nameserver 8.8.8.8
search example.com		 All
/etc/nsswitch.conf Name service order hosts: files dns All
/etc/hostname System hostname server1.example.com All
/etc/network/interfaces Network interface config iface eth0 inet static Debian/Ubuntu
/etc/sysconfig/network-scripts/ifcfg-* Interface configuration DEVICE=eth0
BOOTPROTO=dhcp		 RHEL/CentOS

Automated Network Configuration with Ansible

# Ansible playbook for network configuration
---
- name: Configure network settings
hosts: all
tasks:
- name: Set hostname
hostname:
name: "{{ inventory_hostname }}"

- name: Configure /etc/hosts
lineinfile:
path: /etc/hosts
line: "{{ item.ip }} {{ item.hostname }}"
state: present
loop:
- { ip: "192.168.1.10", hostname: "web1.example.com" }
- { ip: "192.168.1.11", hostname: "db1.example.com" }

- name: Configure DNS on Debian/Ubuntu
block:
- name: Install resolvconf if needed
apt:
name: resolvconf
state: present
when: ansible_os_family == "Debian"

- name: Configure resolv.conf
copy:
dest: /etc/resolv.conf
content: |
nameserver 8.8.8.8
nameserver 8.8.4.4
search example.com
when: ansible_os_family == "Debian"

- name: Configure static IP on CentOS
template:
src: ifcfg-eth0.j2
dest: /etc/sysconfig/network-scripts/ifcfg-eth0
when: ansible_os_family == "RedHat"

- name: Restart network service
service:
name: "{{ 'networking' if ansible_os_family == 'Debian' else 'network' }}"
state: restarted

2. Network Commands: ip, ifconfig, netstat, ss, ping, traceroute

Modern vs Legacy Network Commands

Legacy Commands (deprecated but still used)

  • ifconfig - Interface configuration
  • netstat - Network statistics
  • route - Routing table management
  • arp - ARP table management
  • iptunnel - IP tunnel configuration

⚠️ Warning: These tools are deprecated on many modern distributions. Use iproute2 alternatives instead.

Modern Commands (iproute2 package)

  • ip - Swiss army knife for networking
  • ss - Socket statistics (faster than netstat)
  • bridge - Bridge configuration
  • tc - Traffic control
  • devlink - Device configuration

✅ Recommendation: Learn and use iproute2 commands for modern systems.

The ip Command (Modern Replacement)

Interface Management

# Show all interfaces
$ ip addr show
# or
$ ip a

# Show specific interface
$ ip addr show eth0

# Bring interface up/down
$ sudo ip link set eth0 up
$ sudo ip link set eth0 down

# Show interface statistics
$ ip -s link show eth0

IP Address Management

# Add IP address to interface
$ sudo ip addr add 192.168.1.100/24 dev eth0

# Remove IP address
$ sudo ip addr del 192.168.1.100/24 dev eth0

# Add secondary IP (alias)
$ sudo ip addr add 192.168.1.101/24 dev eth0 label eth0:1

# Flush all IPs from interface
$ sudo ip addr flush dev eth0

Routing Management

# Show routing table
$ ip route show
# or
$ ip r

# Add default gateway
$ sudo ip route add default via 192.168.1.1

# Add specific route
$ sudo ip route add 10.0.0.0/8 via 192.168.1.254

# Delete route
$ sudo ip route del 10.0.0.0/8

# Show route cache
$ ip route show cache

ARP and Neighbor Tables

# Show ARP table
$ ip neigh show
# or
$ ip n

# Add static ARP entry
$ sudo ip neigh add 192.168.1.50 lladdr aa:bb:cc:dd:ee:ff dev eth0

# Delete ARP entry
$ sudo ip neigh del 192.168.1.50 dev eth0

# Flush ARP table
$ sudo ip neigh flush dev eth0

Socket Statistics with ss (Modern netstat)

Basic Socket Information

# Show all sockets
$ ss -tulpn
# -t: TCP, -u: UDP, -l: listening, -p: process, -n: numeric

# Show TCP sockets only
$ ss -tlnp

# Show UDP sockets only
$ ss -ulnp

# Show established connections
$ ss -t state established

Advanced Socket Filtering

# Show connections to specific port
$ ss -t dst :80

# Show connections from specific IP
$ ss -t src 192.168.1.100

# Show connections in specific state
$ ss -t state listening
$ ss -t state established
$ ss -t state time-wait

# Show socket memory usage
$ ss -tmp

Legacy Commands and Their Modern Equivalents

Legacy Command Modern Equivalent Purpose Example
ifconfig ip addr Show interface configuration ip a vs ifconfig
route ip route Show/manipulate routing table ip r vs route -n
arp ip neigh Show/manipulate ARP table ip n vs arp -a
netstat ss Show socket statistics ss -tulpn vs netstat -tulpn
iptunnel ip tunnel Tunnel configuration ip tunnel add vs iptunnel add

Network Testing Commands

ping

# Basic ping (continuous)
$ ping 8.8.8.8
# Ctrl+C to stop

# Ping specific number of packets
$ ping -c 5 8.8.8.8

# Ping with interval
$ ping -i 2 8.8.8.8
# 2 second interval

# Ping with size
$ ping -s 1500 8.8.8.8
# 1500 byte packets

# Ping flood (stress testing)
$ sudo ping -f 8.8.8.8

traceroute / tracepath

# Basic traceroute
$ traceroute google.com

# Use ICMP instead of UDP
$ traceroute -I google.com

# Specify first TTL
$ traceroute -f 5 google.com
# Start from hop 5

# Modern alternative (tracepath)
$ tracepath google.com

# Using mtr (combined ping/traceroute)
$ mtr google.com

Network Diagnostics

# Test DNS resolution
$ nslookup google.com
$ dig google.com

# Test port connectivity
$ nc -zv google.com 80
# or
$ telnet google.com 80

# Bandwidth testing
$ iperf3 -c server_ip
$ speedtest-cli

# Show network traffic
$ iftop
$ nethogs
$ iptraf-ng

3. DNS & /etc/hosts

Understanding DNS in Linux

The Domain Name System (DNS) translates hostnames to IP addresses. Linux systems use several files and services to manage name resolution.

Linux Name Resolution Flow

Application requests hostname
/etc/nsswitch.conf
Determines resolution order
/etc/hosts
Local mappings
DNS
via /etc/resolv.conf

DNS Configuration Files

/etc/resolv.conf

# Basic DNS configuration
nameserver 8.8.8.8
nameserver 8.8.4.4
search example.com localdomain
options timeout:2 attempts:3 rotate

# Important notes:
# 1. Max 3 nameserver entries
# 2. 'search' specifies domain search list
# 3. 'options' controls resolver behavior

# Test DNS resolution
$ cat /etc/resolv.conf
$ nslookup google.com
$ dig google.com

/etc/hosts

# Format: IP_address hostname [aliases...]
127.0.0.1 localhost
127.0.1.1 ubuntu-server

# IPv6 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

# Custom entries for local network
192.168.1.10 web-server web.example.com
192.168.1.20 db-server db.example.com
192.168.1.30 mail-server mail

# Block websites (alternative use)
127.0.0.1 bad-site.com www.bad-site.com

/etc/nsswitch.conf

# Name Service Switch configuration
# Controls order of name resolution

# Typical hosts line:
hosts: files dns

# Resolution order:
# 1. 'files' = /etc/hosts
# 2. 'dns' = DNS servers in /etc/resolv.conf

# Other options:
# hosts: files mdns4_minimal [NOTFOUND=return] dns
# This tries /etc/hosts, then mDNS, then DNS

# Check current configuration
$ grep ^hosts /etc/nsswitch.conf

DNS Tools and Commands

dig (Domain Information Groper)

# Basic DNS lookup
$ dig google.com

# Query specific DNS server
$ dig @8.8.8.8 google.com

# Query specific record type
$ dig google.com A # IPv4 address
$ dig google.com MX # Mail exchange
$ dig google.com TXT # Text records
$ dig google.com NS # Name servers

# Reverse DNS lookup
$ dig -x 8.8.8.8

# Short output
$ dig +short google.com

# Trace DNS resolution path
$ dig +trace google.com

nslookup

# Interactive mode
$ nslookup
> google.com
> server 8.8.8.8 # Change DNS server
> set type=MX
> google.com
> exit

# Command-line mode
$ nslookup google.com
$ nslookup -type=MX google.com
$ nslookup google.com 8.8.8.8

host

# Simple DNS lookup
$ host google.com

# Lookup specific record type
$ host -t MX google.com
$ host -t TXT google.com

# Reverse DNS lookup
$ host 8.8.8.8

# Verbose output
$ host -v google.com

# Query specific DNS server
$ host google.com 8.8.8.8

DNS Configuration Management

# Check DNS resolution order
$ systemd-resolve --status

# Flush DNS cache (systemd-resolved)
$ sudo systemd-resolve --flush-caches

# Check which process manages /etc/resolv.conf
$ ls -l /etc/resolv.conf
# If symlink, check where it points

# Test DNS server response time
$ time nslookup google.com
$ dig google.com | grep "Query time"

DNS Troubleshooting Workflow

# 1. Check local hosts file
$ cat /etc/hosts | grep -v "^#" | grep -v "^$"

# 2. Check nsswitch.conf order
$ grep ^hosts /etc/nsswitch.conf

# 3. Check current DNS servers
$ cat /etc/resolv.conf
$ systemd-resolve --status 2>/dev/null || echo "No systemd-resolve"

# 4. Test DNS resolution with different tools
$ dig google.com
$ dig @8.8.8.8 google.com # Bypass local resolver

# 5. Check DNS connectivity
$ nc -zv 8.8.8.8 53
# Port 53 is DNS

# 6. Trace DNS resolution
$ dig +trace google.com

# 7. Check for DNS hijacking or manipulation
$ dig google.com | grep -A1 "ANSWER SECTION"

4. Firewall Basics: ufw, iptables, firewalld

Understanding Linux Firewalls

Linux provides multiple firewall solutions to control network traffic. The choice depends on your distribution and specific needs.

Linux Firewall Ecosystem

UFW
Uncomplicated Firewall
Debian/Ubuntu
firewalld
Dynamic Firewall
RHEL/CentOS/Fedora
iptables
Legacy Standard
All distributions
nftables
Modern Replacement
Newer distributions

UFW (Uncomplicated Firewall) - Debian/Ubuntu

Basic UFW Commands

# Enable/disable firewall
$ sudo ufw enable
$ sudo ufw disable

# Check status
$ sudo ufw status verbose
$ sudo ufw status numbered

# Default policies
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

# Reset to defaults
$ sudo ufw reset

Rule Management

# Allow/deny by port
$ sudo ufw allow 80/tcp
$ sudo ufw allow 443
$ sudo ufw deny 22

# Allow/deny by service name
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow 'Nginx Full'

# Allow/deny by IP
$ sudo ufw allow from 192.168.1.0/24
$ sudo ufw allow from 192.168.1.100 to any port 22

# Delete rules
$ sudo ufw delete allow 80
$ sudo ufw delete 3 # Delete rule #3

Advanced UFW

# Limit connection attempts
$ sudo ufw limit ssh
# Limits SSH connections to 6 per 30 seconds

# Application profiles
$ sudo ufw app list
$ sudo ufw app info 'Nginx HTTP'
$ sudo ufw allow 'Nginx HTTP'

# Logging
$ sudo ufw logging on
$ sudo ufw logging low|medium|high

# Show raw iptables rules
$ sudo ufw show raw

firewalld - RHEL/CentOS/Fedora

Basic firewalld Commands

# Start/enable firewalld
$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld

# Check status
$ sudo firewall-cmd --state
$ sudo firewall-cmd --list-all

# Zones management
$ sudo firewall-cmd --get-default-zone
$ sudo firewall-cmd --get-active-zones
$ sudo firewall-cmd --set-default-zone=public

Zone Operations

# Add service to zone
$ sudo firewall-cmd --zone=public --add-service=http
$ sudo firewall-cmd --zone=public --add-service=https
$ sudo firewall-cmd --zone=public --add-service=ssh

# Add port to zone
$ sudo firewall-cmd --zone=public --add-port=8080/tcp
$ sudo firewall-cmd --zone=public --add-port=10000-20000/udp

# Remove service/port
$ sudo firewall-cmd --zone=public --remove-service=ssh
$ sudo firewall-cmd --zone=public --remove-port=8080/tcp

# List services in zone
$ sudo firewall-cmd --zone=public --list-services
$ sudo firewall-cmd --zone=public --list-ports

Permanent Rules & Rich Rules

# Make changes permanent
$ sudo firewall-cmd --permanent --zone=public --add-service=http
$ sudo firewall-cmd --reload

# Rich rules (advanced filtering)
# Allow IP with port
$ sudo firewall-cmd --zone=public --add-rich-rule='
    rule family="ipv4" source address="192.168.1.100" port port="22" protocol="tcp" accept'

# Reject IP
$ sudo firewall-cmd --zone=public --add-rich-rule='
    rule family="ipv4" source address="10.0.0.0/8" reject'

# Limit connections
$ sudo firewall-cmd --zone=public --add-rich-rule='
    rule family="ipv4" source address="0.0.0.0/0" service name="ssh" accept'
    --timeout=300 # Rule expires after 5 minutes

iptables - The Classic Firewall

Basic iptables Concepts

# Tables (filter, nat, mangle, raw)
# Chains (INPUT, OUTPUT, FORWARD)
# Targets (ACCEPT, DROP, REJECT, LOG)

# List all rules
$ sudo iptables -L -n -v
$ sudo iptables -t nat -L -n -v

# Show rules with line numbers
$ sudo iptables -L -n --line-numbers

# Flush all rules
$ sudo iptables -F
$ sudo iptables -t nat -F

Common iptables Rules

# Allow established connections
$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback
$ sudo iptables -A INPUT -i lo -j ACCEPT

# Allow SSH
$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP/HTTPS
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Set default policies
$ sudo iptables -P INPUT DROP
$ sudo iptables -P FORWARD DROP
$ sudo iptables -P OUTPUT ACCEPT

Advanced iptables Rules

# Allow specific IP
$ sudo iptables -A INPUT -s 192.168.1.100 -j ACCEPT

# Allow IP range
$ sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

# Limit connection rate
$ sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW \
    -m recent --set
$ sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW \
    -m recent --update --seconds 60 --hitcount 4 -j DROP

# Port forwarding (NAT)
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

iptables Management

# Save rules (Debian/Ubuntu)
$ sudo iptables-save > /etc/iptables/rules.v4
$ sudo ip6tables-save > /etc/iptables/rules.v6

# Save rules (RHEL/CentOS)
$ sudo iptables-save > /etc/sysconfig/iptables
$ sudo service iptables save

# Restore rules
$ sudo iptables-restore < /etc/iptables/rules.v4

# Delete rule by number
$ sudo iptables -D INPUT 3

# Insert rule at position
$ sudo iptables -I INPUT 3 -p tcp --dport 22 -j ACCEPT

Firewall Configuration for Web Server

# Using UFW (Ubuntu/Debian)
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https
$ sudo ufw limit ssh # Protect against brute force
$ sudo ufw enable

# Using firewalld (RHEL/CentOS)
$ sudo firewall-cmd --permanent --add-service=ssh
$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --permanent --remove-service=dhcpv6-client
$ sudo firewall-cmd --reload

# Using iptables (generic)
$ sudo iptables -F
$ sudo iptables -A INPUT -i lo -j ACCEPT
$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
$ sudo iptables -P INPUT DROP
$ sudo iptables -P FORWARD DROP
$ sudo iptables -P OUTPUT ACCEPT

5. SSH, SCP, and SFTP

SSH (Secure Shell) Fundamentals

SSH is the standard protocol for secure remote access to Linux systems. It provides encrypted communication between client and server.

SSH Components

  • ssh client - Connect to remote servers
  • sshd server - Accept incoming SSH connections
  • ssh-keygen - Create authentication keys
  • ssh-agent - Manage SSH keys in memory
  • ssh-add - Add keys to ssh-agent
  • scp - Secure file copy over SSH
  • sftp - Secure file transfer protocol

Basic SSH Usage

Connecting to Remote Hosts

# Basic connection
$ ssh user@hostname
$ ssh user@192.168.1.100

# Specify port (default is 22)
$ ssh -p 2222 user@hostname

# Specify identity file
$ ssh -i ~/.ssh/id_rsa_custom user@hostname

# Execute command remotely
$ ssh user@hostname "ls -la"
$ ssh user@hostname "df -h"

# X11 forwarding (GUI applications)
$ ssh -X user@hostname

SSH Configuration File

# ~/.ssh/config - Client configuration
Host myserver
  HostName server.example.com
  User john
  Port 2222
  IdentityFile ~/.ssh/id_rsa_myserver
  ServerAliveInterval 60
  ServerAliveCountMax 3

Host *.example.com
  User admin
  IdentityFile ~/.ssh/id_rsa_admin

# Now connect using shorthand
$ ssh myserver
# Instead of ssh -p 2222 john@server.example.com

# Global SSH client config
# /etc/ssh/ssh_config

SSH Server Configuration

# /etc/ssh/sshd_config - Server configuration
Port 22
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers john admin
AllowGroups sshusers
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2

# Important security settings:
# 1. Change default port (Port 2222)
# 2. Disable root login (PermitRootLogin no)
# 3. Use key authentication (PasswordAuthentication no)
# 4. Restrict users (AllowUsers, AllowGroups)

# Apply changes
$ sudo systemctl restart sshd

SSH Key Management

Key Generation

# Generate RSA key (legacy)
$ ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

# Generate Ed25519 key (modern, recommended)
$ ssh-keygen -t ed25519 -C "your_email@example.com"

# Generate with custom filename
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_work

# Generate with passphrase (recommended)
$ ssh-keygen -t ed25519 -C "server key"
# You'll be prompted for passphrase

# Show public key
$ cat ~/.ssh/id_ed25519.pub

Key Distribution & Management

# Copy public key to remote server
$ ssh-copy-id user@hostname
# Or manually:
$ cat ~/.ssh/id_ed25519.pub | ssh user@hostname "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

# Test key authentication
$ ssh -o PasswordAuthentication=no user@hostname

# Use ssh-agent for passphrase management
$ eval "$(ssh-agent -s)"
$ ssh-add ~/.ssh/id_ed25519
$ ssh-add -l # List loaded keys

# Remove host from known_hosts (if IP changed)
$ ssh-keygen -R hostname
$ ssh-keygen -R 192.168.1.100

SCP (Secure Copy)

Basic File Transfers

# Copy file to remote server
$ scp file.txt user@hostname:/remote/path/

# Copy file from remote server
$ scp user@hostname:/remote/path/file.txt ./

# Copy directory recursively
$ scp -r directory/ user@hostname:/remote/path/

# Preserve file attributes
$ scp -p file.txt user@hostname:/remote/path/

# Limit bandwidth (KB/s)
$ scp -l 1000 file.txt user@hostname:/remote/path/
# Limits to 1000 KB/s (1 MB/s)

Advanced SCP Usage

# Use specific port
$ scp -P 2222 file.txt user@hostname:/remote/path/

# Use specific identity file
$ scp -i ~/.ssh/id_rsa_custom file.txt user@hostname:/remote/path/

# Copy between two remote hosts
$ scp -3 user1@host1:/path/file user2@host2:/path/
# File goes through local machine

# Use compression for slow connections
$ scp -C file.txt user@hostname:/remote/path/

# Quiet mode (suppress progress meter)
$ scp -q file.txt user@hostname:/remote/path/

SFTP (SSH File Transfer Protocol)

Interactive SFTP Session

# Connect to remote server
$ sftp user@hostname

# SFTP commands:
sftp> ls # List remote files
sftp> lls # List local files
sftp> pwd # Print remote working directory
sftp> lpwd # Print local working directory
sftp> cd /remote/path # Change remote directory
sftp> lcd /local/path # Change local directory
sftp> get file.txt # Download file
sftp> put file.txt # Upload file
sftp> mkdir newdir # Create remote directory
sftp> rmdir olddir # Remove remote directory
sftp> rm file.txt # Remove remote file
sftp> chmod 755 file.txt # Change remote file permissions
sftp> rename old new # Rename remote file
sftp> exit # Exit SFTP

Non-Interactive SFTP

# Download file
$ sftp user@hostname:/remote/path/file.txt ./local/path/

# Upload file
$ sftp user@hostname <<EOF
put /local/path/file.txt
EOF

# Batch operations using -b flag
$ cat > sftp_batch.txt <<EOF
cd /remote/uploads
put file1.txt
put file2.txt
put file3.txt
chmod 644 file1.txt
EOF
$ sftp -b sftp_batch.txt user@hostname

# Download directory recursively
$ sftp -r user@hostname:/remote/directory ./local/path/

SSH Tunneling and Port Forwarding

# Local port forwarding
# Access remote service on local port
$ ssh -L 8080:localhost:80 user@webserver
# Now http://localhost:8080 connects to webserver:80

# Remote port forwarding
# Expose local service to remote server
$ ssh -R 9000:localhost:3000 user@remoteserver
# Access localhost:3000 from remoteserver:9000

# Dynamic port forwarding (SOCKS proxy)
$ ssh -D 1080 user@remoteserver
# Configure browser to use SOCKS proxy localhost:1080

# SSH as VPN (tunnel all traffic)
$ ssh -D 1080 -C -N user@remoteserver
# -N: no remote command, -C: compression

# Multi-hop SSH
$ ssh -J user1@jumphost user2@targetserver
# Connect via jump host

6. Network Troubleshooting

Systematic Troubleshooting Approach

Follow a logical sequence when diagnosing network issues:

Network Troubleshooting Flowchart

1. Check local interface (ip a)

2. Test local connectivity (ping 127.0.0.1)

3. Test gateway connectivity (ping gateway)

4. Test external connectivity (ping 8.8.8.8)

5. Test DNS resolution (nslookup google.com)

6. Check service ports (ss -tlnp)

7. Check firewall rules (ufw status or firewall-cmd)

8. Check routing (ip route)

9. Check logs (journalctl -u network)

Troubleshooting Commands Reference

Connectivity Testing

# Test loopback
$ ping 127.0.0.1
$ ping ::1

# Test local network
$ ping 192.168.1.1 # Gateway
$ ping 192.168.1.100 # Another host

# Test external connectivity
$ ping 8.8.8.8
$ ping 2001:4860:4860::8888 # IPv6

# Test specific interface
$ ping -I eth0 8.8.8.8

# Test with different packet sizes
$ ping -s 1472 8.8.8.8 # Test MTU

Port and Service Testing

# Test TCP port connectivity
$ nc -zv hostname 80
$ nc -zv hostname 22
$ nc -zv hostname 443

# Test UDP port
$ nc -zuv hostname 53

# Telnet test
$ telnet hostname 80
# Type "GET / HTTP/1.0" then Enter twice

# Check listening ports locally
$ ss -tlnp
$ ss -ulnp

# Check connections to specific port
$ ss -t dst :80
$ ss -t state established dport = :80

DNS Troubleshooting

# Test DNS resolution
$ nslookup google.com
$ dig google.com
$ host google.com

# Test with specific DNS server
$ dig @8.8.8.8 google.com
$ nslookup google.com 8.8.8.8

# Trace DNS resolution
$ dig +trace google.com

# Check DNS configuration
$ cat /etc/resolv.conf
$ cat /etc/hosts
$ grep hosts /etc/nsswitch.conf

# Test reverse DNS
$ dig -x 8.8.8.8
$ nslookup 8.8.8.8

Routing and Path Analysis

# Show routing table
$ ip route show
$ route -n # Legacy

# Trace route to destination
$ traceroute google.com
$ tracepath google.com
$ mtr google.com # Continuous

# Check MTU issues
$ ping -M do -s 1472 8.8.8.8
# Decrease size until it works

# Show interface MTU
$ ip link show eth0 | grep mtu
$ netstat -i # Legacy

Network Diagnostic Tools

Packet Analysis

# Capture packets (requires sudo)
$ sudo tcpdump -i eth0
$ sudo tcpdump -i eth0 port 80
$ sudo tcpdump -i eth0 host 192.168.1.100
$ sudo tcpdump -i eth0 -w capture.pcap

# Analyze with tshark (Wireshark CLI)
$ sudo tshark -i eth0
$ tshark -r capture.pcap

# Monitor connections in real-time
$ sudo iftop
$ sudo nethogs
$ sudo bmon

Bandwidth Testing

# Install iperf3
$ sudo apt install iperf3 # Debian/Ubuntu
$ sudo yum install iperf3 # RHEL/CentOS

# On server (run on remote machine)
$ iperf3 -s

# On client (test to server)
$ iperf3 -c server_ip
$ iperf3 -c server_ip -t 30 # 30 seconds test
$ iperf3 -c server_ip -P 4 # 4 parallel streams
$ iperf3 -c server_ip -R # Reverse test (server sends)

# Internet speed test
$ speedtest-cli
$ curl -s https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py | python -

Log Analysis

# System logs
$ sudo journalctl -u systemd-networkd
$ sudo journalctl -u NetworkManager
$ sudo journalctl -u sshd

# Kernel messages
$ dmesg | grep -i eth0
$ dmesg | grep -i network

# Authentication logs
$ sudo tail -f /var/log/auth.log # Debian/Ubuntu
$ sudo tail -f /var/log/secure # RHEL/CentOS

# Firewall logs
$ sudo tail -f /var/log/ufw.log # UFW
$ sudo journalctl -u firewalld # firewalld
$ sudo dmesg | grep -i iptables # iptables

Common Network Issues and Solutions

Symptom Possible Cause Troubleshooting Steps
No network connectivity Interface down, wrong IP, cable unplugged 1. ip link show
2. Check cable
3. Check IP config
Can ping IP but not hostnames DNS misconfiguration 1. Check /etc/resolv.conf
2. Test nslookup
3. Check firewall port 53
SSH connection refused SSH not running, firewall blocking 1. systemctl status sshd
2. Check firewall rules
3. Verify port 22 open
Slow network transfer Network congestion, MTU issues 1. mtr to destination
2. Test with iperf3
3. Check MTU settings
Intermittent connectivity Network hardware issues, IP conflict 1. Check dmesg for errors
2. Test with different cable
3. Check for IP conflicts
Port open but service not accessible Service not listening on interface, SELinux 1. ss -tlnp | grep :port
2. Check service binds to 0.0.0.0
3. Check SELinux with getsebool

Network Troubleshooting Cheat Sheet

# Quick diagnostics
$ ip a # Check interfaces and IPs
$ ip route # Check routing table
$ ping -c 3 8.8.8.8 # Test external connectivity
$ nslookup google.com # Test DNS resolution
$ ss -tlnp # Check listening ports
$ sudo ufw status # Check firewall (UFW)
$ sudo firewall-cmd --list-all # Check firewall (firewalld)
$ sudo iptables -L -n -v # Check firewall (iptables)
$ journalctl -xe -n 50 # Check recent system logs
$ dmesg | tail -20 # Check kernel messages
$ traceroute google.com # Trace network path
$ mtr google.com # Continuous trace

Network Automation for DevOps

Automated Network Configuration with Ansible

# Ansible playbook for network setup
---
- name: Configure network settings
hosts: all
become: yes
tasks:
- name: Install network tools
package:
name:
- net-tools
- iproute2
- bind-utils
- tcpdump
state: present

- name: Configure hostname
hostname:
name: "{{ inventory_hostname }}"

- name: Configure /etc/hosts
lineinfile:
path: /etc/hosts
line: "{{ item.ip }} {{ item.hostname }}"
state: present
loop:
- { ip: "192.168.1.10", hostname: "web1.example.com" }
- { ip: "192.168.1.11", hostname: "db1.example.com" }

- name: Configure DNS on Debian/Ubuntu
block:
- name: Set DNS servers
copy:
dest: /etc/resolv.conf
content: |
nameserver 8.8.8.8
nameserver 8.8.4.4
search example.com
when: ansible_os_family == "Debian"

- name: Configure firewall (UFW for Ubuntu)
block:
- name: Enable UFW
ufw:
state: enabled
policy: deny
direction: incoming

- name: Allow SSH
ufw:
rule: allow
port: "22"
proto: tcp

- name: Allow HTTP/HTTPS
ufw:
rule: allow
port: "{{ item }}"
proto: tcp
loop:
- "80"
- "443"
when: ansible_os_family == "Debian"

- name: Configure firewall (firewalld for CentOS)
block:
- name: Ensure firewalld is running
service:
name: firewalld
state: started
enabled: yes

- name: Open necessary ports
firewalld:
service: "{{ item }}"
permanent: yes
state: enabled
immediate: yes
loop:
- ssh
- http
- https
when: ansible_os_family == "RedHat"

- name: Configure SSH server
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: "0644"
notify: Restart SSH

- name: Deploy SSH public keys
authorized_key:
user: "{{ ansible_user }}"
state: present
key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

handlers:
- name: Restart SSH
service:
name: sshd
state: restarted

Network Command Cheat Sheet

Interface Configuration

$ ip addr show # Show all interfaces
$ ip link set eth0 up # Bring interface up
$ ip addr add 192.168.1.100/24 dev eth0 # Add IP
$ ip route show # Show routing table
$ ip neigh show # Show ARP table

Network Testing

$ ping -c 4 8.8.8.8 # Test connectivity
$ traceroute google.com # Trace network path
$ mtr google.com # Continuous trace
$ nc -zv host 80 # Test port connectivity
$ dig google.com # DNS lookup

Socket Information

$ ss -tulpn # Show all sockets
$ ss -t state established # Show established connections
$ ss -t dst :80 # Show connections to port 80
$ netstat -tulpn # Legacy socket info

Firewall Management

$ sudo ufw status # UFW status
$ sudo ufw allow 22/tcp # UFW allow SSH
$ sudo firewall-cmd --list-all # firewalld status
$ sudo iptables -L -n -v # iptables rules

SSH Operations

$ ssh user@host # SSH connection
$ ssh-keygen -t ed25519 # Generate SSH key
$ ssh-copy-id user@host # Copy SSH key
$ scp file user@host:/path # Secure copy
$ sftp user@host # SFTP session

Practice Scenarios for DevOps Engineers

  1. A server can ping 8.8.8.8 but cannot resolve google.com. What would you check and in what order?
  2. You need to configure a web server with SSH access for admins, HTTP/HTTPS for users, and block all other traffic. How would you implement this?
  3. A production server suddenly loses network connectivity. What's your step-by-step troubleshooting process?
  4. You need to securely transfer large files between two servers over the internet. What methods would you consider and why?
  5. How would you configure a bastion host/jump server for secure access to internal servers?
  6. A service is listening on port 8080 but connections from other servers are being refused. What would you check?
  7. You need to monitor network traffic to identify which application is consuming bandwidth. What tools would you use?
  8. How would you automate network configuration across 100+ servers using Ansible?
  9. A DNS change needs to be propagated to all servers. How would you ensure consistent DNS configuration?
  10. You suspect a network performance issue. How would you diagnose and identify the bottleneck?

Key Takeaways

  • Know your tools: Modern (ip, ss) vs legacy (ifconfig, netstat) commands
  • Understand configuration files: Different distributions use different network config systems
  • Master DNS: Know /etc/hosts, /etc/resolv.conf, and /etc/nsswitch.conf
  • Secure with firewalls: Choose the right firewall for your distribution (UFW, firewalld, iptables)
  • Use SSH properly: Key authentication, secure configuration, tunneling
  • Systematic troubleshooting: Follow a logical process from local to remote
  • Automate network tasks: Use Ansible or other tools for consistent configuration
  • Monitor and test: Regular testing and monitoring prevent issues
  • Document configurations: Network setups should be documented and version controlled
  • Security first: Always consider security implications of network configurations

Mastering Linux networking is essential for DevOps engineers to build, secure, and maintain reliable infrastructure. These skills enable you to troubleshoot issues quickly, implement secure configurations, and automate network operations at scale.

at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Linux Security & Permissions for DevOps

Linux Security & Permissions - DevOps Security Guide Linux Security & Permissions ...