Logo ← PostgreSQL Blog

Linux Networking Cheat Sheet

From Basics to Advanced Analysis

Linux Networking Cheat Sheet

From Basics to Advanced Analysis

Networking issues usually appear when you least expect them.
 This cheat sheet is written to be saved, bookmarked, and used in real production incidents.

No unnecessary theory.
Only commands, patterns, and troubleshooting steps that actually work.

Table of Contents

Part 1 — Linux Networking Basics (For Everyone)

  1. Network Interfaces & IP Addresses
  2. Routes & Gateways
  3. Ports, Sockets & Listening Services
  4. DNS Resolution & Name Lookup
  5. Connectivity Testing
  6. File Transfer Over Network
  7. Firewall Basics (firewalld)
  8. Common Networking Mistakes

Part 2 — Advanced Networking & Troubleshooting (Beginner → Advanced)

  1. Linux Networking Stack (Mental Model)
  2. Advanced Socket Inspection with ss
  3. Firewall Deep Dive (firewalld & rich rules)
  4. Packet Capture & Traffic Analysis with tcpdump
  5. Detecting Port Scans and Empty Traffic
  6. Bandwidth and Throughput Analysis
  7. Routing, Policy Rules and Network Namespaces
  8. Production Debug Checklist
  9. Performance and Network Tuning
  10. Security and Hardening

Part 1 — Linux Networking Basics (For Everyone)

1. Network Interfaces & IP Addresses

List all network interfaces:

ip a

Compact, readable output:

ip -br a

Show only active interfaces:

ip link show up

Legacy command (avoid using in automation):

ifconfig

If an interface has the wrong IP address, nothing else in the network stack will work correctly.

2. Routes & Gateways

Display routing table:

ip route

Show default gateway:

ip route show default

Check how the system routes traffic to a destination:

ip route get 8.8.8.8

Most “connection issues” are simply missing or incorrect routes.

3. Ports, Sockets & Listening Services

Modern replacement for netstat:

ss -lntup

Check whether a specific port is listening:

ss -lntp | grep 5000

Connection statistics summary:

ss -s

ss is faster, more accurate, and should always be preferred over netstat.

4. DNS Resolution & Name Lookup

Resolve a domain name:

dig google.com

Short output only:

dig +short google.com

Resolve using system configuration:

getent hosts google.com

Check resolver configuration:

cat /etc/resolv.conf

If an IP address works but a hostname does not, the problem is DNS.

5. Connectivity Testing

Basic connectivity test:

ping -c 4 8.8.8.8

Trace network path:

traceroute google.com

More informative tracing tool:

mtr google.com

HTTP connectivity check:

curl -I https://example.com

Test TCP port availability:

nc -zv host 5432

6. File Transfer Over Network

Copy a file:

scp file.txt user@host:/path

Copy a directory:

scp -r dir user@host:/path

Efficient and resumable transfer:

rsync -avz dir/ user@host:/dir

In production environments, rsync should be preferred.

7. Firewall Basics (firewalld)

Show active zones:

firewall-cmd --get-active-zones

List current rules:

firewall-cmd --zone=public --list-all

Open a TCP port permanently:

firewall-cmd --permanent --add-port=5000/tcp
firewall-cmd --reload

Permanent rules are not active until the firewall is reloaded.

8. Common Networking Mistakes

  • Assuming a running service means an open port
  • Forgetting firewall rules
  • Testing domain names before verifying raw IP connectivity
  • Ignoring the routing table
  • Running tcpdump without filters in production

Part 2 — Advanced Networking & Troubleshooting

1. Linux Networking Stack (Mental Model)

Application
Socket
TCP / UDP
IP
Network Interface
Physical NIC

Troubleshooting should always start from the bottom and move upward.

2. Advanced Socket Inspection with ss

List all TCP connections:

ss -ant

Show only established connections:

ss -ant state established

Inspect TIME_WAIT sockets:

ss -ant state time-wait

Count active connections:

ss -ant | wc -l

High TIME_WAIT counts are often normal and not an error.

3. Firewall (firewalld & rich rules)

Runtime vs permanent configuration

  • Runtime rules affect current state
  • Permanent rules are stored on disk
  • --reload applies permanent rules

Allow a single IP access to a specific port:

firewall-cmd --permanent --zone=public \
  --add-rich-rule='rule family="ipv4" source address="**.**.**.**" port port="5000" protocol="tcp" accept'

Remove an existing subnet rule:

firewall-cmd --permanent --zone=public \
  --remove-rich-rule='rule family="ipv4" source address="**.**.**.**/24" port port="5000" protocol="tcp" accept'

Apply changes:

firewall-cmd --reload

List rich rules:

firewall-cmd --zone=public --list-rich-rules

firewall-cmd --zone=public --list-all

Log and reject traffic:

firewall-cmd --permanent --zone=public \
  --add-rich-rule='rule family="ipv4" source address="**.**.**.**/32" port port="5000" protocol="tcp" accept'



firewall-cmd --permanent --zone=public \
  --add-rich-rule='rule family="ipv4" source address="**.**.**.**/24" port port="5000" protocol="tcp" reject'


firewall-cmd --reload

Inspect kernel firewall logs:

journalctl -k

4. Packet Capture & Traffic Analysis with tcpdump

Capture traffic on a port:

tcpdump -i eth0 -n -s 0 port 5000

Write capture to file:

tcpdump -i eth0 -n -s 0 port 5000 -w /tmp/port5000.pcap

View ASCII payload:

tcpdump -i eth0 -n -s 0 -A tcp port 5000

View hex and ASCII:

tcpdump -i eth0 -n -s 0 -X tcp port 5000

Always use filters to limit capture scope in production environments.

5. Detecting Port Scans and Empty Traffic

Detect SYN-only packets:

tcpdump -i eth0 -n 'tcp[13] & 2 != 0 and tcp[13] & 16 == 0'

Detect NULL scans:

tcpdump -i eth0 -n 'tcp[13] == 0'

Detect FIN scans:

tcpdump -i eth0 -n 'tcp[13] & 1 != 0'

Detect empty payload traffic:

tcpdump -i eth0 -n tcp port 5000
# look for "length 0"

Broadcast or multicast traffic:

tcpdump -i eth0 -n 'broadcast or multicast'

6. Bandwidth and Throughput Analysis

Interface statistics:

ip -s link

Real-time bandwidth:

nload

Process-level traffic usage:

nethogs

Throughput testing:

iperf3 -s
iperf3 -c host

Latency checks do not measure bandwidth.

7. Routing, Policy Rules and Network Namespaces

Show policy routing rules:

ip rule show

Show all routing tables:

ip route show table all

List network namespaces:

ip netns list

Execute commands inside a namespace:

ip netns exec ns1 bash

Containers rely heavily on namespaces for isolation.

8. Production Debug Checklist

  1. Interface state
  2. IP configuration
  3. Routing table
  4. Listening services
  5. Firewall rules
  6. Packet arrival and response
  7. Kernel and firewall logs

Skipping steps leads to incorrect conclusions.

9. Performance and Network Tuning

Check NIC offloading features:

ethtool -k eth0

Check link speed and duplex:

ethtool eth0

Inspect queue disciplines:

tc qdisc show

10. Security and Hardening

  • Close unused ports
  • Log suspicious connections
  • Block scanners early
  • Monitor active connections regularly
  • Combine firewall rules with traffic analysis

Final Notes

This cheat sheet is intentionally practical. It is meant to be useful during incidents, not just read once. Save it. Networking problems tend to come back.