Networking is the backbone of modern infrastructure and DevOps.

 Networking in Linux: The Complete DevOps Networking Guide

Master Linux networking concepts, commands, and troubleshooting skills essential for every DevOps engineer.

📅 Published: Feb 2026
⏱️ Estimated Reading Time: 18 minutes
🏷️ Tags: Linux Networking, SSH, Firewall, DNS, Troubleshooting, DevOps

---

🌐 Network Configuration Files: The Blueprint of Your Network

Understanding Network Configuration

Think of Linux network configuration like setting up a house address system:

• IP Address = Your house number

• Netmask = Which street you're on

• Gateway = The main road out of your neighborhood

• DNS = The phone book that translates names to numbers

Key Configuration Files

1. /etc/network/interfaces (Debian/Ubuntu)

This is where network interfaces are configured on Debian-based systems.

bash

# View current configuration
cat /etc/network/interfaces

# Example configuration
# The loopback network interface
auto lo
iface lo inet loopback

# Primary network interface
auto eth0
iface eth0 inet static
    address 192.168.1.100
    netmask 255.255.255.0
    gateway 192.168.1.1
    dns-nameservers 8.8.8.8 8.8.4.4

2. /etc/sysconfig/network-scripts/ (Red Hat/CentOS)

Red Hat systems use individual files for each interface.

bash

# List network interface configurations
ls -la /etc/sysconfig/network-scripts/ifcfg-*

# View configuration for eth0
cat /etc/sysconfig/network-scripts/ifcfg-eth0

# Example content:
# TYPE="Ethernet"
# BOOTPROTO="static"
# DEVICE="eth0"
# ONBOOT="yes"
# IPADDR="192.168.1.100"
# NETMASK="255.255.255.0"
# GATEWAY="192.168.1.1"
# DNS1="8.8.8.8"
# DNS2="8.8.4.4"

3. /etc/netplan/ (Ubuntu 18.04+)

Modern Ubuntu uses Netplan with YAML configuration.

bash

# List Netplan configurations
ls -la /etc/netplan/

# Example: /etc/netplan/01-netcfg.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      addresses: [192.168.1.100/24]
      gateway4: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]

4. /etc/resolv.conf (DNS Configuration)

This file tells your system where to find DNS servers.

bash

# View DNS configuration
cat /etc/resolv.conf

# Example:
# nameserver 8.8.8.8
# nameserver 8.8.4.4
# search example.com

Important: On modern systems, /etc/resolv.conf is often managed automatically. Don't edit it directly unless you know what you're doing!

5. /etc/hosts (Local Name Resolution)

This file maps hostnames to IP addresses locally, before checking DNS.

bash

# View hosts file
cat /etc/hosts

# Example:
# 127.0.0.1       localhost
# 192.168.1.100   server1.example.com server1
# 192.168.1.101   server2.example.com server2

Use case: When DNS is down or for development/testing without DNS setup.

---

🔧 Essential Network Commands

ip: The Modern Network Swiss Army Knife

The ip command replaces the older ifconfig and route commands. It's more powerful and consistent.

bash

# Show all network interfaces
ip addr show
# Or shorter: ip a

# Show only specific interface
ip addr show eth0

# Show routing table
ip route show
# Or: ip r

# Show network statistics
ip -s link show eth0

# Add IP address to interface
sudo ip addr add 192.168.1.200/24 dev eth0

# Remove IP address
sudo ip addr del 192.168.1.200/24 dev eth0

# Bring interface up/down
sudo ip link set eth0 up
sudo ip link set eth0 down

# Show ARP table (IP to MAC mapping)
ip neigh show

ifconfig: The Old Reliable (Being Phased Out)

While ip is the modern tool, ifconfig is still widely used and understood.

bash

# Show all interfaces
ifconfig

# Show specific interface
ifconfig eth0

# Configure IP address
sudo ifconfig eth0 192.168.1.100 netmask 255.255.255.0

# Bring interface up/down
sudo ifconfig eth0 up
sudo ifconfig eth0 down

Note: ifconfig might not be installed by default on newer systems. Use ip for future-proof scripts.

ping: The "Are You There?" Check

ping sends small packets to a host and measures the response time.

bash

# Basic ping (sends until Ctrl+C)
ping google.com

# Ping specific number of times
ping -c 4 google.com

# Ping with interval
ping -i 2 google.com  # Waits 2 seconds between pings

# Ping with packet size
ping -s 1000 google.com  # 1000 byte packets

# Ping without DNS resolution (faster)
ping -n 8.8.8.8

# Continuous ping for monitoring
ping -c 1000 google.com > ping_results.txt &

What ping tells you:

• If host is reachable

• Round-trip time (latency)

• Packet loss percentage

traceroute/tracepath: Follow the Path

Shows the route packets take to reach a destination.

bash

# Basic traceroute
traceroute google.com

# Use ICMP instead of UDP (sometimes works better)
traceroute -I google.com

# Specify number of queries per hop
traceroute -q 2 google.com

# tracepath (simpler alternative)
tracepath google.com

# For IPv6
tracepath6 google.com

Use case: When connectivity is slow or broken, traceroute shows where the problem is.

netstat and ss: Network Connection Analysis

netstat shows network connections, routing tables, interface statistics. ss is the modern replacement (faster, more detailed).

bash

# Show all listening ports (netstat)
netstat -tulpn

# Show all connections (netstat)
netstat -an

# Show routing table (netstat)
netstat -rn

# Show interface statistics (netstat)
netstat -i

# Modern alternative: ss (socket statistics)
ss -tulpn  # All listening ports
ss -an     # All connections
ss -s      # Summary statistics

# Show processes using specific port
ss -tulpn | grep :80

Key differences:

• netstat reads from /proc/net files (slower)

• ss reads kernel socket information directly (faster)

---

📞 DNS & /etc/hosts: Name Resolution Explained

How DNS Works in Linux

When you type google.com, Linux checks in this order:

1. /etc/hosts - Local file mapping

2. DNS Cache - Recently resolved names

3. DNS Servers from /etc/resolv.conf

DNS Testing Commands

bash

# Basic DNS lookup
nslookup google.com

# More detailed DNS information
dig google.com

# Short dig output
dig +short google.com

# Query specific DNS server
dig @8.8.8.8 google.com

# Reverse DNS lookup (IP to name)
dig -x 8.8.8.8

# Check MX records (mail servers)
dig google.com MX

# Check DNS resolution time
time nslookup google.com

# Clear DNS cache (systemd systems)
sudo systemd-resolve --flush-caches

/etc/hosts: Your Local DNS Override

The hosts file lets you override DNS. This is useful for:

1. Blocking websites (point to 127.0.0.1)

2. Development testing (point to local servers)

3. Network isolation (when DNS is down)

bash

# Add entry to hosts file
echo "192.168.1.100   myserver.local" | sudo tee -a /etc/hosts

# Block a website (redirect to localhost)
echo "127.0.0.1       facebook.com www.facebook.com" | sudo tee -a /etc/hosts

# Test hosts file
getent hosts myserver.local

Security note: Malware often modifies /etc/hosts to redirect traffic. Regularly check this file.

---

🔥 Firewall Basics: Protecting Your Server

Understanding Linux Firewalls

A firewall is like a bouncer at a club:

• Rules = Who's allowed in

• Ports = Which doors they can use

• Protocols = How they can communicate

ufw: Uncomplicated Firewall (Ubuntu)

ufw is the easiest firewall to use, perfect for beginners.

bash

# Check status
sudo ufw status

# Enable firewall
sudo ufw enable

# Disable firewall
sudo ufw disable

# Allow SSH (port 22)
sudo ufw allow ssh
# Or by port: sudo ufw allow 22

# Allow HTTP and HTTPS
sudo ufw allow http
sudo ufw allow https

# Allow specific IP
sudo ufw allow from 192.168.1.100

# Allow port range
sudo ufw allow 8000:8010/tcp

# Deny a port
sudo ufw deny 3306  # MySQL port

# Delete a rule
sudo ufw status numbered  # Show rules with numbers
sudo ufw delete 2         # Delete rule #2

# Reset all rules
sudo ufw reset

Default policies:

bash

# Deny all incoming, allow all outgoing (recommended)
sudo ufw default deny incoming
sudo ufw default allow outgoing

firewalld: Red Hat Firewall

Used by CentOS, RHEL, Fedora.

bash

# Check status
sudo firewall-cmd --state

# Start and enable
sudo systemctl start firewalld
sudo systemctl enable firewalld

# List all zones
sudo firewall-cmd --list-all-zones

# List default zone rules
sudo firewall-cmd --list-all

# Add service (predefined ports)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=ssh

# Add port directly
sudo firewall-cmd --permanent --add-port=8080/tcp

# Remove service/port
sudo firewall-cmd --permanent --remove-service=ftp

# Reload firewall (after changes)
sudo firewall-cmd --reload

# Create custom zone
sudo firewall-cmd --permanent --new-zone=myzone
sudo firewall-cmd --permanent --zone=myzone --add-source=192.168.1.0/24
sudo firewall-cmd --reload

iptables: The Classic Firewall

iptables is the underlying firewall that both ufw and firewalld use. It's more complex but powerful.

bash

# List all rules
sudo iptables -L -n -v

# List with line numbers (useful for deletion)
sudo iptables -L -n -v --line-numbers

# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Set default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# Save rules (Ubuntu)
sudo iptables-save > /etc/iptables/rules.v4

# Save rules (Red Hat)
sudo service iptables save

Basic iptables rule structure:

text

iptables -A CHAIN -p PROTOCOL --dport PORT -j ACTION
-A = Append rule
CHAIN = INPUT, OUTPUT, FORWARD
-p = Protocol (tcp, udp, icmp)
--dport = Destination port
-j = Jump to action (ACCEPT, DROP, REJECT)

---

🔐 SSH, SCP, and SFTP: Secure Remote Access

SSH: Secure Shell

SSH lets you securely access remote servers. It's the primary way DevOps engineers manage servers.

bash

# Basic connection
ssh username@server-ip

# Connect with specific port
ssh -p 2222 username@server-ip

# Connect with identity file (key)
ssh -i ~/.ssh/id_rsa username@server-ip

# Run command remotely
ssh username@server-ip "ls -la"

# Verbose mode (debugging)
ssh -v username@server-ip

# Copy SSH key to server
ssh-copy-id username@server-ip

# Create SSH tunnel (port forwarding)
ssh -L 8080:localhost:80 username@server-ip
# Local port 8080 forwards to server's port 80

SSH Configuration File

Create ~/.ssh/config for easier connections:

bash

# Edit SSH config
nano ~/.ssh/config

# Add:
Host myserver
    HostName server-ip-or-domain
    User username
    Port 22
    IdentityFile ~/.ssh/id_rsa
    ServerAliveInterval 60

# Now connect with just:
ssh myserver

SSH Key Management

SSH keys are more secure than passwords.

bash

# Generate SSH key pair
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

# Keys are saved in:
# Private: ~/.ssh/id_rsa
# Public: ~/.ssh/id_rsa.pub

# Set proper permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub

# Copy public key to server
ssh-copy-id user@server
# Or manually:
cat ~/.ssh/id_rsa.pub | ssh user@server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

SCP: Secure Copy

Copy files between systems securely.

bash

# Copy local file to remote server
scp file.txt username@server-ip:/remote/directory/

# Copy remote file to local
scp username@server-ip:/remote/file.txt /local/directory/

# Copy directory recursively
scp -r /local/directory/ username@server-ip:/remote/

# Copy with compression (faster for large files)
scp -C file.txt username@server-ip:/remote/

# Preserve permissions and timestamps
scp -p file.txt username@server-ip:/remote/

# Use specific port
scp -P 2222 file.txt username@server-ip:/remote/

SFTP: Secure File Transfer Protocol

Interactive file transfer (like FTP but secure).

bash

# Connect to SFTP server
sftp username@server-ip

# Inside SFTP:
ls              # List remote files
lls             # List local files
cd /remote/dir  # Change remote directory
lcd /local/dir  # Change local directory
get file.txt    # Download file
put file.txt    # Upload file
mkdir newdir    # Create remote directory
exit            # Quit

---

🔍 Network Troubleshooting: The Systematic Approach

The Troubleshooting Methodology

When network issues occur, follow this systematic approach:

1. Check local configuration

2. Test local connectivity

3. Test remote connectivity

4. Check DNS resolution

5. Check firewall rules

6. Check service status

Step-by-Step Troubleshooting Guide

bash

# Step 1: Check network configuration
ip addr show
# Are interfaces up? Do they have IP addresses?

# Step 2: Check routing
ip route show
# Is there a default gateway?

# Step 3: Test local network
ping 192.168.1.1  # Gateway
# Can you reach your router?

# Step 4: Test internet connectivity
ping 8.8.8.8
# Can you reach outside?

# Step 5: Test DNS
ping google.com
nslookup google.com
# Can you resolve names?

# Step 6: Check specific port
telnet google.com 80
# Or: nc -zv google.com 80
# Can you connect to specific service?

# Step 7: Check firewall
sudo iptables -L -n -v
# Or: sudo ufw status
# Are ports blocked?

# Step 8: Check service is running
sudo systemctl status nginx
# Is the service actually running?

# Step 9: Check logs
sudo tail -f /var/log/syslog
# Look for error messages

Common Network Issues and Solutions

Issue 1: "Network is unreachable"

bash

# Check interface status
ip link show
# If down: sudo ip link set eth0 up

# Check IP configuration
ip addr show eth0
# If no IP: 
# DHCP: sudo dhclient eth0
# Static: Configure in network files

Issue 2: "Connection refused"

bash

# Check if service is listening
ss -tulpn | grep :80
# If nothing: service might not be running

# Check firewall
sudo ufw status
# If blocked: sudo ufw allow 80/tcp

Issue 3: "Name or service not known"

bash

# Check DNS
cat /etc/resolv.conf
# Add nameserver: echo "nameserver 8.8.8.8" | sudo tee -a /etc/resolv.conf

# Test DNS
dig google.com
# If fails: DNS server might be down

Issue 4: "No route to host"

bash

# Check routing table
ip route show
# Add default gateway: sudo ip route add default via 192.168.1.1

# Check if gateway is reachable
ping 192.168.1.1
# If not: Physical network issue

Advanced Troubleshooting Tools

bash

# Monitor network traffic in real-time
sudo tcpdump -i eth0
sudo tcpdump -i eth0 port 80
sudo tcpdump -i eth0 host 8.8.8.8

# Check bandwidth usage
iftop
# Shows real-time bandwidth by connection

# Check network speed
iperf3 -s  # On server
iperf3 -c server-ip  # On client

# Check MTU issues
ping -M do -s 1472 google.com
# Increase packet size until it fails to find MTU

# Network statistics
netstat -s
# Shows detailed protocol statistics

# Check network connections by process
lsof -i
# Shows which processes are using network

---

🎯 Real-World DevOps Scenarios

Scenario 1: Setting Up a New Server

bash

#!/bin/bash
# setup-server-network.sh

# Configure static IP (Ubuntu with Netplan)
cat > /etc/netplan/01-network.yaml << EOF
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses: [192.168.1.100/24]
      gateway4: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]
EOF

# Apply network configuration
sudo netplan apply

# Configure firewall
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

# Configure SSH
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

# Test configuration
ping -c 2 8.8.8.8
ping -c 2 google.com
ss -tulpn | grep -E ':22|:80|:443'

Scenario 2: Port Forwarding for Development

bash

# Forward local port 8080 to remote server's port 80
ssh -L 8080:localhost:80 user@remote-server -N &
# -N = No command, just forward ports
# & = Run in background

# Now access remote server's web service at:
# http://localhost:8080

# Forward remote port 3306 to local port 3307 (for MySQL)
ssh -L 3307:localhost:3306 user@remote-server -N &
# Connect locally to MySQL: mysql -h 127.0.0.1 -P 3307

Scenario 3: Network Monitoring Script

bash

#!/bin/bash
# network-monitor.sh

LOG_FILE="/var/log/network-monitor.log"

echo "=== Network Monitor: $(date) ===" >> $LOG_FILE

# Check interfaces
echo "Network Interfaces:" >> $LOG_FILE
ip addr show >> $LOG_FILE

# Check connectivity
echo -n "Gateway reachable: " >> $LOG_FILE
ping -c 1 192.168.1.1 > /dev/null 2>&1 && echo "YES" >> $LOG_FILE || echo "NO" >> $LOG_FILE

echo -n "Internet reachable: " >> $LOG_FILE
ping -c 1 8.8.8.8 > /dev/null 2>&1 && echo "YES" >> $LOG_FILE || echo "NO" >> $LOG_FILE

echo -n "DNS working: " >> $LOG_FILE
nslookup google.com > /dev/null 2>&1 && echo "YES" >> $LOG_FILE || echo "NO" >> $LOG_FILE

# Check critical ports
for port in 22 80 443; do
    echo -n "Port $port listening: " >> $LOG_FILE
    ss -tulpn | grep -q ":$port " && echo "YES" >> $LOG_FILE || echo "NO" >> $LOG_FILE
done

echo "---" >> $LOG_FILE

Scenario 4: Secure File Transfer Automation

bash

#!/bin/bash
# backup-to-remote.sh

REMOTE_USER="backupuser"
REMOTE_SERVER="backup-server.example.com"
BACKUP_DIR="/backup"
REMOTE_DIR="/mnt/backups"

# Create backup
tar -czf $BACKUP_DIR/backup-$(date +%Y%m%d).tar.gz /important/data

# Copy to remote server using SSH key
scp -i ~/.ssh/backup_key $BACKUP_DIR/backup-*.tar.gz $REMOTE_USER@$REMOTE_SERVER:$REMOTE_DIR/

# Verify copy
ssh -i ~/.ssh/backup_key $REMOTE_USER@$REMOTE_SERVER "ls -lh $REMOTE_DIR/backup-*.tar.gz"

# Clean old local backups
find $BACKUP_DIR -name "*.tar.gz" -mtime +7 -delete

---

📋 Quick Reference Cheat Sheet

Task	Command	Description
Show IP addresses	ip a or ifconfig	View network interfaces
Show routing	ip r or route -n	View routing table
Test connectivity	ping host	Check if host is reachable
Trace route	traceroute host	Show network path
DNS lookup	nslookup host or dig host	Resolve hostname to IP
Show connections	ss -tulpn or netstat -tulpn	List listening ports
Copy files	scp file user@host:/path	Secure copy
Remote access	ssh user@host	Secure shell
Firewall status	sudo ufw status	Check firewall rules
Allow port	sudo ufw allow 80/tcp	Open firewall port
Network restart	sudo systemctl restart networking	Restart network service
Check DNS config	cat /etc/resolv.conf	View DNS servers
Local hosts	cat /etc/hosts	View local name mappings
Monitor traffic	sudo tcpdump -i eth0	Capture network packets
Bandwidth monitor	iftop	Real-time bandwidth usage
Test port	telnet host port or nc -zv host port	Check if port is open

---

🚀 Practice Exercises

Exercise 1: Configure Static IP

bash

# Ubuntu with Netplan
sudo nano /etc/netplan/01-network.yaml

# Add:
network:
  version: 2
  ethernets:
    eth0:
      addresses: [192.168.1.150/24]
      gateway4: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]

# Apply
sudo netplan apply

# Verify
ip addr show eth0
ping -c 2 8.8.8.8

Exercise 2: Create SSH Tunnel

bash

# Local machine
ssh -L 3306:localhost:3306 user@remote-db-server -N &
# This forwards local port 3306 to remote MySQL

# Now connect to remote MySQL locally
mysql -h 127.0.0.1 -u root -p

# To stop: find the SSH process and kill it
ps aux | grep "ssh -L"
kill <process_id>

Exercise 3: Network Diagnostic Script

bash

#!/bin/bash
# net-check.sh

echo "=== Network Diagnostic ==="
echo

echo "1. Interface Status:"
ip -br addr show

echo
echo "2. Routing Table:"
ip route show

echo
echo "3. Testing Connectivity:"
echo -n "  Local Gateway: "
ping -c 1 -W 1 $(ip route | grep default | awk '{print $3}') > /dev/null && echo "✓" || echo "✗"

echo -n "  Internet: "
ping -c 1 -W 1 8.8.8.8 > /dev/null && echo "✓" || echo "✗"

echo -n "  DNS Resolution: "
nslookup google.com > /dev/null 2>&1 && echo "✓" || echo "✗"

echo
echo "4. Open Ports:"
ss -tulpn | grep -E ':(22|80|443|3306)\s'

Exercise 4: Firewall Setup

bash

# Ubuntu
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow from 192.168.1.0/24 to any port 22
sudo ufw enable
sudo ufw status verbose

---

🔗 Master Linux Networking with Hands-on Labs

Networking is a critical skill for DevOps engineers. Understanding how to configure, secure, and troubleshoot networks is essential for managing servers and applications.

👉 Practice Linux networking with real scenarios at:
https://devops.trainwithsky.com/

Our interactive labs provide:

• Real network configuration exercises

• Firewall setup and troubleshooting

• SSH key management and tunneling

• Network monitoring and diagnostics

• Production-like network environments

---

Frequently Asked Questions

Q: Should I use ifconfig or ip?
A: Use ip for new scripts and systems. It's more powerful and will be supported longer.

Q: How do I make network changes permanent?
A: Edit the appropriate configuration file (/etc/netplan/, /etc/network/interfaces, or /etc/sysconfig/network-scripts/).

Q: What's the difference between DROP and REJECT in iptables?
A: DROP silently discards packets. REJECT sends back an error. Use DROP for security, REJECT for user-friendly firewalls.

Q: How do I restart networking without reboot?
A: Use sudo systemctl restart networking or sudo netplan apply or sudo ifdown eth0 && sudo ifup eth0.

Q: Why can't I ping but can SSH?
A: The server might be blocking ICMP (ping) but allowing SSH. Check firewall rules.

Q: How do I change SSH port?
A: Edit /etc/ssh/sshd_config, change Port 22 to another number, then restart SSH: sudo systemctl restart sshd.

Q: What's the best way to transfer large files?
A: Use rsync with compression: rsync -avz --progress source/ user@host:destination/

Having network issues or questions about Linux networking? Share your challenge in the comments below! 💬