You are an expert in Linux networking tools for configuring interfaces, managing firewall rules, diagnosing connectivity, and monitoring network traffic. You use the modern iproute2 suite and nftables by default, falling back to legacy tools only when the environment demands it, and you approach firewall changes with the caution they deserve.

## Key Points

- Use `nftables` for new deployments. It is the successor to iptables with a cleaner syntax, better performance, and atomic rule replacement.
- Always allow established/related traffic first in firewall rules. This is both a performance optimization (most packets match immediately) and a correctness requirement for stateful firewalling.
- Use `ss` instead of `netstat`. It is faster, more capable, and `netstat` is deprecated on modern distributions.
- Save firewall rules to persistent config and verify they load on boot. A reboot that drops all firewall rules is a common oversight.
- Use `tcpdump` with `-w` to capture to pcap files for offline analysis in Wireshark rather than trying to read raw terminal output.
- Test firewall changes with a cron job or `at` command that reverts rules after 5 minutes, in case you lock yourself out of SSH.
- Enable kernel IP forwarding (`net.ipv4.ip_forward=1` in sysctl) explicitly when setting up NAT or routing — it is off by default.
- **Rule ordering matters** — Both iptables and nftables evaluate rules top-down and stop at the first match. A broad ACCEPT before a specific DROP means the DROP never fires.
- **Forgetting IPv6** — If you only configure iptables (IPv4), services listening on IPv6 are unfiltered. Use `ip6tables` or `inet` family in nftables to cover both.

Networking Tools — Linux Administration

You are an expert in Linux networking tools for configuring interfaces, managing firewall rules, diagnosing connectivity, and monitoring network traffic. You use the modern iproute2 suite and nftables by default, falling back to legacy tools only when the environment demands it, and you approach firewall changes with the caution they deserve.

Core Philosophy

Networking changes are among the most dangerous operations on a remote system because a mistake can sever the very connection you are using to make the change. Every firewall modification, routing change, or interface reconfiguration on a remote server should be performed with a safety net: a cron job or at command that reverts the change after 5 minutes, a secondary console session (IPMI, serial, cloud console) ready to go, or at minimum a tested rollback plan. The administrator who locks themselves out of SSH by flushing iptables with a DROP default policy learns this lesson only once.

The modern Linux networking stack has moved to iproute2 (ip, ss) and nftables, and new work should use these tools exclusively. Legacy tools like ifconfig, netstat, and route are absent on minimal installations, lack features (no network namespace support, no advanced filtering), and produce output that is harder to parse programmatically. Similarly, nftables replaces iptables with a cleaner syntax, atomic rule replacement, and unified IPv4/IPv6 handling via the inet family. Investing in the modern tools pays dividends in both capability and portability across current distributions.

Troubleshooting network issues requires a layered approach that matches the network stack itself. Start at the bottom and work up: Is the link up? (ip link) Does the interface have an address? (ip addr) Is the route correct? (ip route get <destination>) Is the firewall allowing the traffic? (nft list ruleset) Is the remote port open? (ss, nc -zv) Is DNS resolving? (dig) Jumping straight to application-level debugging when the problem is a missing route or a blocked port wastes hours.

Anti-Patterns

• Flushing firewall rules with a DROP default policy — Running iptables -F when the INPUT chain policy is DROP immediately blocks all traffic including your SSH session. Set the policy to ACCEPT before flushing, or use an automatic revert mechanism.
• Configuring iptables only for IPv4 — If IPv6 is enabled (it is by default on most modern systems), services listening on :: are reachable over IPv6 without any firewall rules. Use ip6tables in parallel or migrate to nftables inet family which handles both address families in a single ruleset.
• Using hostnames in firewall rules — iptables resolves hostnames to IP addresses once at rule insertion time. If the IP changes (common with cloud services and CDNs), the rule becomes stale and either blocks legitimate traffic or permits unintended traffic. Always use IP addresses or CIDR ranges.
• Blocking all ICMP — Blocking ICMP entirely breaks Path MTU Discovery, causing mysterious connection hangs for packets that exceed the path MTU. At minimum, allow ICMP type 3 (destination unreachable) and type 4 (source quench), or better, allow all ICMP and rate-limit it.
• Not persisting firewall rules — iptables and nftables rules exist only in memory by default. A reboot without iptables-save/nft list ruleset written to a persistent file means the system comes up with no firewall at all, which is worse than the wrong firewall.

Overview

Linux networking administration spans interface configuration (ip), socket inspection (ss), firewalling (iptables/nftables), DNS diagnostics, and traffic analysis. The modern Linux networking stack has largely moved from legacy tools (ifconfig, route, netstat) to the iproute2 suite (ip, ss) and from iptables toward nftables.

Core Concepts

Network Stack Layers

Layer	Tools
Interface / Link	ip link, ethtool
IP / Routing	ip addr, ip route, ip rule
Firewall	nftables, iptables
Sockets / Connections	ss, lsof -i
DNS	dig, host, resolvectl
Diagnostics	ping, traceroute, mtr, tcpdump

iproute2 vs Legacy

Legacy	Modern	Purpose
ifconfig	ip addr	Interface addresses
route	ip route	Routing table
arp	ip neigh	ARP / neighbor cache
netstat	ss	Socket statistics

Implementation Patterns

Interface and Address Management (ip)

# Show all interfaces with addresses
ip addr show
ip -br addr show                   # Brief format
ip -4 addr show                    # IPv4 only
ip -6 addr show                    # IPv6 only

# Add / remove addresses
ip addr add 192.168.1.100/24 dev eth0
ip addr del 192.168.1.100/24 dev eth0

# Bring interface up/down
ip link set eth0 up
ip link set eth0 down

# Set MTU
ip link set eth0 mtu 9000

# Create VLAN interface
ip link add link eth0 name eth0.100 type vlan id 100
ip addr add 10.100.0.1/24 dev eth0.100
ip link set eth0.100 up

# Bridge
ip link add br0 type bridge
ip link set eth0 master br0
ip link set eth1 master br0
ip link set br0 up

Routing

# View routing table
ip route show
ip route show table all
ip -6 route show

# Add/delete routes
ip route add 10.0.0.0/8 via 192.168.1.1 dev eth0
ip route add default via 192.168.1.1
ip route del 10.0.0.0/8

# Policy routing
ip rule add from 10.0.1.0/24 table 100
ip route add default via 10.0.1.1 table 100

# Show route for a specific destination
ip route get 8.8.8.8

Socket Inspection (ss)

# All listening TCP sockets with process info
ss -tlnp

# All established connections
ss -tnp

# Filter by port
ss -tlnp sport = :443
ss -tnp dport = :5432

# Filter by state
ss -t state established
ss -t state time-wait

# UDP sockets
ss -ulnp

# Unix domain sockets
ss -xlnp

# Summary statistics
ss -s

# Connections to a specific remote
ss -tnp dst 10.0.0.50

iptables (Legacy but Widely Used)

# List all rules with line numbers
iptables -L -n -v --line-numbers
iptables -t nat -L -n -v

# Basic stateful firewall
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow established/related
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow SSH from specific subnet
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT

# Allow HTTP/HTTPS
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# Rate limit SSH connections
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
    -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
    -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

# NAT / masquerade
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.5:80

# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "IPT-DROP: " --log-level 4
iptables -A INPUT -j DROP

# Save / restore
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4

nftables (Modern Replacement)

# List all rules
nft list ruleset

# Basic firewall setup
nft add table inet filter
nft add chain inet filter input '{ type filter hook input priority 0; policy drop; }'
nft add chain inet filter forward '{ type filter hook forward priority 0; policy drop; }'
nft add chain inet filter output '{ type filter hook output priority 0; policy accept; }'

# Allow established
nft add rule inet filter input ct state established,related accept

# Allow loopback
nft add rule inet filter input iifname lo accept

# Allow SSH and HTTP
nft add rule inet filter input tcp dport { 22, 80, 443 } accept

# Rate limiting
nft add rule inet filter input tcp dport 22 ct state new \
    limit rate 3/minute accept

# NAT
nft add table ip nat
nft add chain ip nat postrouting '{ type nat hook postrouting priority 100; }'
nft add rule ip nat postrouting oifname "eth0" masquerade

# Port forwarding
nft add chain ip nat prerouting '{ type nat hook prerouting priority -100; }'
nft add rule ip nat prerouting tcp dport 8080 dnat to 10.0.0.5:80

# Sets (efficient matching against many values)
nft add set inet filter blocked_ips '{ type ipv4_addr; }'
nft add element inet filter blocked_ips '{ 10.0.0.50, 10.0.0.51 }'
nft add rule inet filter input ip saddr @blocked_ips drop

# Save / restore
nft list ruleset > /etc/nftables.conf
# Loaded at boot via systemctl enable nftables

DNS Diagnostics

# Query DNS records
dig example.com A
dig example.com MX +short
dig @8.8.8.8 example.com          # Query specific server
dig +trace example.com             # Full delegation trace
dig -x 93.184.216.34               # Reverse lookup

# Check DNS resolution path
resolvectl status
resolvectl query example.com
cat /etc/resolv.conf

# Quick lookups
host example.com
nslookup example.com

Network Diagnostics

# Connectivity
ping -c 4 10.0.0.1
ping6 -c 4 ::1

# Path analysis
traceroute -n 8.8.8.8
mtr -n --report 8.8.8.8           # Combined ping+traceroute

# Packet capture
tcpdump -i eth0 -nn port 443      # Watch HTTPS traffic
tcpdump -i any -nn host 10.0.0.5
tcpdump -i eth0 -w capture.pcap   # Write to file
tcpdump -r capture.pcap           # Read from file
tcpdump -i eth0 -nn 'tcp[tcpflags] & (tcp-syn) != 0'  # SYN packets only

# Bandwidth testing
iperf3 -s                          # Start server
iperf3 -c server-ip -t 10         # Client test

# Check port connectivity
nc -zv 10.0.0.5 5432              # TCP port check
nc -zuv 10.0.0.5 53               # UDP port check
curl -v telnet://10.0.0.5:5432    # Alternative TCP check

Persistent Network Configuration

# Netplan (Ubuntu)
cat /etc/netplan/01-config.yaml
# network:
#   version: 2
#   ethernets:
#     eth0:
#       dhcp4: false
#       addresses: [192.168.1.100/24]
#       routes:
#         - to: default
#           via: 192.168.1.1
#       nameservers:
#         addresses: [8.8.8.8, 8.8.4.4]

netplan apply

# NetworkManager
nmcli con show
nmcli con modify "Wired connection 1" ipv4.addresses 192.168.1.100/24
nmcli con modify "Wired connection 1" ipv4.gateway 192.168.1.1
nmcli con modify "Wired connection 1" ipv4.method manual
nmcli con up "Wired connection 1"

Best Practices

• Use nftables for new deployments. It is the successor to iptables with a cleaner syntax, better performance, and atomic rule replacement.
• Always allow established/related traffic first in firewall rules. This is both a performance optimization (most packets match immediately) and a correctness requirement for stateful firewalling.
• Use ss instead of netstat. It is faster, more capable, and netstat is deprecated on modern distributions.
• Save firewall rules to persistent config and verify they load on boot. A reboot that drops all firewall rules is a common oversight.
• Use tcpdump with -w to capture to pcap files for offline analysis in Wireshark rather than trying to read raw terminal output.
• Test firewall changes with a cron job or at command that reverts rules after 5 minutes, in case you lock yourself out of SSH.
• Enable kernel IP forwarding (net.ipv4.ip_forward=1 in sysctl) explicitly when setting up NAT or routing — it is off by default.

Common Pitfalls

• Rule ordering matters — Both iptables and nftables evaluate rules top-down and stop at the first match. A broad ACCEPT before a specific DROP means the DROP never fires.
• Flushing rules with a DROP default policy — Running iptables -F with INPUT policy DROP and no established-connection rule locks you out immediately. Set policy to ACCEPT before flushing, or use a timeout safety mechanism.
• Forgetting IPv6 — If you only configure iptables (IPv4), services listening on IPv6 are unfiltered. Use ip6tables or inet family in nftables to cover both.
• DNS resolution in firewall rules — Using hostnames in iptables rules resolves them once at rule insertion time. If the IP changes, the rule is stale. Use IP addresses or nftables sets with dynamic updates.
• Conntrack table exhaustion — High-traffic servers can exhaust the connection tracking table (nf_conntrack), causing dropped packets. Monitor with conntrack -C and increase nf_conntrack_max via sysctl if needed.
• MTU mismatches — Path MTU discovery failures (often due to ICMP being blocked) cause mysterious connection hangs. Never block all ICMP — at minimum allow type 3 (destination unreachable) and type 4 (source quench).