Linux networking spans interface configuration, traffic analysis, firewall management, and DNS diagnostics. This cheat sheet covers the most-used commands with practical examples.
Quick Reference
| Task | Command |
|---|---|
| Show IP addresses | ip addr show |
| Show routing table | ip route show |
| Show listening ports | ss -tlnp |
| Show active connections | ss -tnp |
| Capture packets | tcpdump -i eth0 -n |
| Test connectivity | ping -c 4 google.com |
| Trace route | traceroute google.com |
| DNS lookup | dig google.com |
| Scan ports | nmap -sV host |
| Show firewall rules | iptables -L -n -v |
| Download file | curl -O url |
| Check bandwidth | iftop -i eth0 |
| Show ARP table | ip neigh show |
| Flush DNS cache | systemd-resolve --flush-caches |
| Check open files/sockets | lsof -i :80 |
Interface Management
View interfaces
# All interfaces with IPs
ip addr show
# Short form
ip a
# Single interface
ip addr show eth0
# Only IPv4
ip -4 addr show
# Only IPv6
ip -6 addr show
Configure interfaces
# Bring interface up/down
ip link set eth0 up
ip link set eth0 down
# Add IP address
ip addr add 192.168.1.100/24 dev eth0
# Remove IP address
ip addr del 192.168.1.100/24 dev eth0
# Set MTU
ip link set eth0 mtu 9000
# Rename interface (requires it to be down)
ip link set eth0 down
ip link set eth0 name wan0
ip link set wan0 up
Routing
# Show routing table
ip route show
ip r
# Add default gateway
ip route add default via 192.168.1.1
# Add static route
ip route add 10.0.0.0/8 via 192.168.1.254
# Delete route
ip route del 10.0.0.0/8
# Show route to specific destination
ip route get 8.8.8.8
# Policy routing (multiple routing tables)
ip rule show
ip rule add from 10.0.0.0/8 table 100
ip route add default via 10.0.0.1 table 100
Sockets and Ports (ss)
ss replaces the deprecated netstat and is faster.
# All listening TCP ports
ss -tlnp
# All listening UDP ports
ss -ulnp
# All connections (TCP)
ss -tnp
# All sockets (TCP + UDP + Unix)
ss -anp
# Filter by port
ss -tnp sport = :80
ss -tnp dport = :443
# Filter by state
ss -tn state established
ss -tn state time-wait
# Show socket memory
ss -tm
# Summary statistics
ss -s
Flag reference
| Flag | Meaning |
|---|---|
-t |
TCP sockets |
-u |
UDP sockets |
-l |
Listening sockets |
-n |
Numeric (no DNS resolution) |
-p |
Show process name/PID |
-a |
All sockets |
-s |
Summary statistics |
-e |
Extended socket info |
-m |
Memory usage |
-4 / -6 |
IPv4 / IPv6 only |
Legacy netstat equivalents
# netstat -tulnp → ss -tlnp
# netstat -an → ss -an
# netstat -rn → ip route show
# netstat -s → ss -s
Packet Capture (tcpdump)
# Capture on interface
tcpdump -i eth0
# Numeric output (no DNS)
tcpdump -i eth0 -n
# Capture to file
tcpdump -i eth0 -w capture.pcap
# Read from file
tcpdump -r capture.pcap
# Verbose output
tcpdump -i eth0 -vv
# Limit packet count
tcpdump -i eth0 -c 100
# Filter by host
tcpdump -i eth0 host 192.168.1.1
# Filter by port
tcpdump -i eth0 port 80
tcpdump -i eth0 port 80 or port 443
# Filter by protocol
tcpdump -i eth0 tcp
tcpdump -i eth0 udp
tcpdump -i eth0 icmp
# Capture HTTP traffic (show payload)
tcpdump -i eth0 -A port 80
# Capture DNS queries
tcpdump -i eth0 -n port 53
# Source or destination
tcpdump -i eth0 src 10.0.0.1
tcpdump -i eth0 dst 10.0.0.2
# Combine filters
tcpdump -i eth0 'src 10.0.0.1 and dst port 443'
# Exclude SSH (port 22)
tcpdump -i eth0 not port 22
DNS Tools
dig
# Basic A record lookup
dig google.com
# Short output
dig +short google.com
# Specific record type
dig google.com MX
dig google.com AAAA
dig google.com TXT
dig google.com NS
dig google.com SOA
# Use specific DNS server
dig @8.8.8.8 google.com
dig @1.1.1.1 google.com
# Reverse DNS lookup
dig -x 8.8.8.8
# Trace DNS resolution path
dig +trace google.com
# Disable recursion
dig +norecurse google.com
# Query all record types
dig google.com ANY
nslookup and host
# nslookup
nslookup google.com
nslookup google.com 8.8.8.8
# host
host google.com
host -t MX google.com
host 8.8.8.8 # reverse lookup
# systemd-resolved
resolvectl query google.com
resolvectl status
systemd-resolve --flush-caches
/etc/hosts and DNS config
# Local hostname resolution
cat /etc/hosts
# DNS resolver config
cat /etc/resolv.conf
# Name resolution order
cat /etc/nsswitch.conf | grep hosts
Connectivity Testing
ping
# Basic ping
ping google.com
# Limit count
ping -c 4 google.com
# Set interval (seconds)
ping -i 0.5 google.com
# Set packet size
ping -s 1400 google.com
# Flood ping (root required)
ping -f google.com
# IPv6
ping6 google.com
ping -6 google.com
traceroute / mtr
# Traceroute (ICMP)
traceroute google.com
# UDP mode
traceroute -U google.com
# TCP mode (better through firewalls)
traceroute -T -p 443 google.com
# No DNS resolution
traceroute -n google.com
# mtr (real-time traceroute — install separately)
mtr google.com
mtr --report google.com # non-interactive report
mtr -n google.com # no DNS
Port Scanning (nmap)
# Basic scan (top 1000 ports)
nmap host
# Scan all 65535 ports
nmap -p- host
# Scan specific ports
nmap -p 22,80,443 host
nmap -p 1-1000 host
# Service version detection
nmap -sV host
# OS detection (root required)
nmap -O host
# Aggressive scan (OS + versions + scripts + traceroute)
nmap -A host
# UDP scan
nmap -sU host
# Ping scan (host discovery only)
nmap -sn 192.168.1.0/24
# Scan subnet
nmap 192.168.1.0/24
# Save output
nmap -oN output.txt host
nmap -oX output.xml host
# Common service detection
nmap -sV --open host
Firewall (iptables)
View rules
# List all rules with counters
iptables -L -n -v
# List specific chain
iptables -L INPUT -n -v
# Show line numbers
iptables -L -n -v --line-numbers
# Show NAT table
iptables -t nat -L -n -v
# Show mangle table
iptables -t mangle -L -n -v
# Save rules
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
# Restore rules
iptables-restore < /etc/iptables/rules.v4
Common rules
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow SSH (port 22)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Drop all other INPUT
iptables -A INPUT -j DROP
# Allow outgoing, block incoming (common server setup)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Rate limit (protect against brute force)
iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 5 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
# Port forwarding (DNAT)
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:8080
iptables -t nat -A POSTROUTING -j MASQUERADE
# Delete rule by number
iptables -D INPUT 3
# Flush all rules
iptables -F
nftables (modern replacement)
# List all rules
nft list ruleset
# Add rule
nft add rule ip filter input tcp dport 22 accept
# Flush ruleset
nft flush ruleset
ufw (Ubuntu firewall frontend)
# Enable/disable
ufw enable
ufw disable
ufw status verbose
# Allow/deny
ufw allow 22
ufw allow 80/tcp
ufw deny 3306
ufw allow from 192.168.1.0/24 to any port 5432
# Delete rule
ufw delete allow 80
ufw delete 3 # by rule number
# Reset to defaults
ufw reset
Network File Transfer
scp
# Upload
scp file.txt user@host:/remote/path/
# Download
scp user@host:/remote/path/file.txt .
# Recursive
scp -r dir/ user@host:/remote/
# Custom port
scp -P 2222 file.txt user@host:/path/
# Via SSH config alias
scp file.txt myserver:/path/
rsync
# Sync directory (preserve permissions, recursive, verbose)
rsync -avz source/ user@host:/dest/
# Dry run (preview changes)
rsync -avzn source/ user@host:/dest/
# Delete files removed from source
rsync -avz --delete source/ user@host:/dest/
# Exclude patterns
rsync -avz --exclude='*.log' --exclude='node_modules/' source/ dest/
# Bandwidth limit (KB/s)
rsync -avz --bwlimit=1000 source/ user@host:/dest/
# Resume interrupted transfer
rsync -avzP source/ user@host:/dest/
# Sync over custom SSH port
rsync -avz -e 'ssh -p 2222' source/ user@host:/dest/
wget and curl
# Download file
wget https://example.com/file.tar.gz
curl -O https://example.com/file.tar.gz
# Save with custom name
wget -O output.html https://example.com
curl -o output.html https://example.com
# Resume download
wget -c https://example.com/large-file.tar.gz
curl -C - -O https://example.com/large-file.tar.gz
# Follow redirects (curl)
curl -L https://example.com
# Quiet mode
wget -q https://example.com/file
curl -s https://example.com/file
# Check HTTP status only
curl -o /dev/null -s -w "%{http_code}" https://example.com
# POST request
curl -X POST -d '{"key":"value"}' -H "Content-Type: application/json" https://api.example.com
Bandwidth Monitoring
# iftop — real-time by connection (install separately)
iftop -i eth0
iftop -i eth0 -n # no DNS
# nload — per-interface throughput
nload eth0
# nethogs — per-process bandwidth
nethogs eth0
# vnstat — historical statistics
vnstat
vnstat -i eth0
vnstat -h # hourly
vnstat -d # daily
vnstat -m # monthly
# /proc/net/dev — raw counters
cat /proc/net/dev
# ip -s link — interface statistics
ip -s link show eth0
ARP and Neighbours
# Show ARP table
ip neigh show
ip n
# Add static ARP entry
ip neigh add 192.168.1.100 lladdr aa:bb:cc:dd:ee:ff dev eth0
# Delete ARP entry
ip neigh del 192.168.1.100 dev eth0
# Flush ARP cache
ip neigh flush all
# arping — send ARP requests
arping -I eth0 192.168.1.1
# arp-scan — discover hosts on LAN
arp-scan --localnet
arp-scan 192.168.1.0/24
Network Namespaces
Network namespaces isolate networking stacks — used by containers.
# List namespaces
ip netns list
# Create namespace
ip netns add mynamespace
# Execute command inside namespace
ip netns exec mynamespace ip addr show
# Bash shell inside namespace
ip netns exec mynamespace bash
# Delete namespace
ip netns del mynamespace
# Create veth pair (virtual ethernet)
ip link add veth0 type veth peer name veth1
# Move veth1 into namespace
ip link set veth1 netns mynamespace
# Configure inside namespace
ip netns exec mynamespace ip addr add 10.0.0.2/24 dev veth1
ip netns exec mynamespace ip link set veth1 up
Troubleshooting Checklist
"Cannot reach host"
# 1. Check local IP and route
ip addr show
ip route show
# 2. Test default gateway
ping -c 2 $(ip route | awk '/default/ {print $3}')
# 3. Test DNS resolution
dig +short google.com
# 4. Test connectivity to internet
ping -c 2 8.8.8.8
# 5. Trace the path
traceroute -n 8.8.8.8
# 6. Check firewall
iptables -L -n -v
ufw status verbose
"Port is not responding"
# 1. Is service running?
ss -tlnp | grep :80
systemctl status nginx
# 2. Is firewall blocking?
iptables -L INPUT -n -v | grep 80
ufw status | grep 80
# 3. Test locally first
curl -v http://localhost:80
# 4. Test from outside
curl -v http://server-ip:80
nmap -p 80 server-ip
# 5. Check logs
journalctl -u nginx -n 50
tail -50 /var/log/nginx/error.log
"Slow network"
# Check packet loss
ping -c 100 -i 0.2 8.8.8.8 | tail -3
# Check interface errors
ip -s link show eth0 | grep -A2 'RX\|TX'
# Check for bandwidth hogs
nethogs eth0
iftop -i eth0
# Check connection states
ss -s
# Check MTU issues (try large packet)
ping -c 4 -s 8972 8.8.8.8
"DNS not resolving"
# 1. Check resolv.conf
cat /etc/resolv.conf
# 2. Test with specific server
dig @8.8.8.8 google.com
# 3. Test with systemd-resolved
resolvectl query google.com
resolvectl status
# 4. Flush DNS cache
systemd-resolve --flush-caches
# 5. Check /etc/nsswitch.conf
grep hosts /etc/nsswitch.conf
Common Mistakes
| Mistake | Problem | Fix |
|---|---|---|
Using netstat instead of ss |
Deprecated, missing in minimal installs | Use ss -tlnp |
iptables -F in production |
Drops all rules incl. SSH access | Test on console, save rules first |
| Ignoring IPv6 | IPv6 firewall rules are separate | Manage both iptables and ip6tables |
curl without -L |
Misses HTTP redirects | Always use curl -L for web URLs |
nmap on cloud hosts |
May trigger abuse reports | Check provider ToS, use -sn for discovery |
tcpdump without -n |
Slows capture with DNS lookups | Always use -n on busy interfaces |
| Flushing iptables without saving | Rules lost on reboot | iptables-save > /etc/iptables/rules.v4 |
| Hardcoding IPs instead of names | Breaks when IPs change | Use hostnames + DNS |
Tool Comparison
| Tool | Purpose | Best For |
|---|---|---|
ss |
Socket statistics | Checking listening ports, connections |
netstat |
Socket statistics (deprecated) | Legacy systems |
tcpdump |
Packet capture | Protocol debugging, traffic analysis |
wireshark |
Packet capture + GUI | Deep packet inspection |
nmap |
Port scanner | Discovery, service fingerprinting |
ping |
ICMP connectivity | Basic reachability test |
traceroute |
Path tracing | Routing problems |
mtr |
Continuous traceroute | Packet loss per hop |
dig |
DNS queries | DNS debugging |
curl |
HTTP client | API testing, file download |
iftop |
Real-time bandwidth | Per-connection throughput |
nethogs |
Per-process bandwidth | Finding bandwidth hogs |
iptables |
Firewall | Rule-based filtering, NAT |
ufw |
Firewall frontend | Simpler iptables management |
FAQ
How do I find which process is using port 8080?
ss -tlnp | grep :8080
# or
lsof -i :8080
# or
fuser 8080/tcp
How do I set a static IP permanently?
# Netplan (Ubuntu 17.10+) — edit /etc/netplan/*.yaml
network:
ethernets:
eth0:
addresses: [192.168.1.100/24]
routes:
- to: default
via: 192.168.1.1
nameservers:
addresses: [8.8.8.8, 1.1.1.1]
version: 2
# Apply
netplan apply
# NetworkManager
nmcli con mod "eth0" ipv4.addresses "192.168.1.100/24"
nmcli con mod "eth0" ipv4.gateway "192.168.1.1"
nmcli con mod "eth0" ipv4.method manual
nmcli con up "eth0"
How do I enable IP forwarding (for routing)?
# Temporary
echo 1 > /proc/sys/net/ipv4/ip_forward
# Permanent — add to /etc/sysctl.conf
net.ipv4.ip_forward = 1
# Apply
sysctl -p
What is the difference between ip route and ip route show table all?
ip route show (or ip route) shows only the main routing table. ip route show table all shows all routing tables (main, local, default, and custom tables). Linux uses policy routing — multiple tables can exist with different routes applied based on rules (ip rule show).
How do I capture traffic on all interfaces?
tcpdump -i any -n
The any pseudo-interface captures from all interfaces. Note: this captures in cooked mode (no Ethernet headers). Also, some loopback traffic may look duplicated.
How do I block a specific IP with iptables?
# Block all traffic from an IP
iptables -A INPUT -s 192.168.1.50 -j DROP
# Block specific protocol
iptables -A INPUT -s 192.168.1.50 -p tcp --dport 80 -j DROP
# Log before dropping
iptables -A INPUT -s 192.168.1.50 -j LOG --log-prefix "BLOCKED: "
iptables -A INPUT -s 192.168.1.50 -j DROP
# Block IP range
iptables -A INPUT -s 192.168.1.0/24 -j DROP