Linux Network Basics
The content of this article is based or taken from the Cisco's Networking Academy NDG Linux Essentials, Chapter 14, Network Configuration. Also some references and quotes from Geeks for Geeks are used.
Basic Network Terminology
Before setting up a network or accessing an existing network, it is beneficial to know some key terms that are related to networking. This section explores the terms with which you should be familiar. Some of the terms are basic, and you may already be familiar with them. However, others are more advanced.
| Term | Description |
|---|---|
| Host | A host is a computer. Many people automatically think of a desktop computer or laptop when they hear the term computer. In reality, many other devices, such as cell phones, digital music players and many modern televisions, are also computers. In networking terms, a host is any device that communicates via a network with another device. |
| Network | A network is a collection of two or more hosts (computers) that are able to communicate with each other. This communication can be via a wired connection or wireless. |
| Internet | The Internet is an example of a network. It consists of a publicly accessible network that connects millions of hosts throughout the world. Many people use the Internet to surf web pages and exchange emails, but the Internet has many additional capabilities besides these activities. |
| Wi-Fi | The term Wi-Fi refers to wireless networks. |
| Server | A host that provides a service to another host or client is called a server. For example, a web server stores, processes and delivers web pages. An email server receives incoming mail and delivers outgoing mail. |
| Service | A feature provided by a host is a service. An example of a service would be when a host provides web pages to another host. |
| Client | A client is a host that is accessing a server. When you are working on a computer surfing the Internet, you are considered to be on a client host. |
| Router | Also called a gateway, a router is a machine that connects hosts from one network to another network. For example, if you work in an office environment, the computers within the company can all communicate via the local network created by the administrators. To access the Internet, the computers would have to communicate with a router that would be used to forward network communications to the Internet. Typically when you communicate on a large network (like the Internet), several routers are used before your communication reaches its final destination. |
Networking Features Terminology
In addition to the networking terms discussed in the last section, there are some additional terms with which you should be familiar. These terms focus more on the different types of networking services that are commonly used, as well as some of the techniques that are used to communicate between machines.
| Term | Description |
|---|---|
| Packet | A network packet is used to send network communication between hosts. By breaking down communication into smaller chunks (packets), the data delivery method is much more efficient. |
| IP Address | An Internet Protocol (IP) address is a unique number assigned to a host on a network. Hosts use these numbers to address network communication. |
| Mask | Also called a netmask, subnet mask or mask, a network mask is a number system that can be used to define which IP addresses are considered to be within a single network. Because of how routers perform their functions, networks have to be clearly defined. |
| Hostname | Each host on a network could have its own hostname because names are more natural for humans to remember than numbers, making it easier for us to address network packets to another host. Hostnames are translated into IP addresses before the network packet is sent on the network. |
| URL | A Uniform Resource Locator (URL), also commonly called a web address, is used to locate a resource, like a web page, on the internet. It’s what you type into your web browser to access a web page. For example, http://www.netdevgroup.com. It includes the protocol http:// and the hostname www.netdevgroup.com. |
| DHCP | Hosts can be assigned hostnames, IP addresses and other network-related information by a DHCP (Dynamic Host Configuration Protocol) server. In the world of computers, a protocol is a well-defined set of rules. DHCP defines how network information is assigned to client hosts, and the DHCP server is the machine that provides this information. |
| DNS | As mentioned previously, hostnames are translated into IP addresses, prior to the network packet being sent on the network. So your host needs to know the IP address of all of the other hosts with which you are communicating. When working on a large network (like the Internet), this can pose a challenge as there are so many hosts. A Domain Name System (DNS) provides the service of translating domain names into IP addresses. |
| Ethernet | In a wired network environment, Ethernet is the most common way to physically connect the hosts into a network. Ethernet cables are connected to network cards that support Ethernet connections. Ethernet cables and devices (such as routers) are specifically designed to support different communication speeds, the lowest being 10 Mbps (10 Megabits per second) and the highest being 100 Gbps (100 gigabits per second). The most common speeds are 100 Mbps and 1 Gbps. |
| TCP/IP | The Transmission Control Protocol/Internet Protocol (TCP/IP) is a fancy name for a collection of protocols (remember, protocol = set of rules) that are used to define how network communication should take place between hosts. While it isn't the only collection of protocols used to define network communication, it is the most often utilized one. As an example, TCP/IP includes the definition of how IP addresses and network masks work. |
IP Addresses
There are, in fact, two different types of IP addresses: IPv4 and IPv6.
In an IPv4 address, a total of four 8‑bit numbers are used to define the address. This is considered a 32-bit address (4 x 8 = 32). For example:
192.168.10.120. # 8-bit refers to numbers from 0 to 255.
In an IPv4 environment, there is a technical limit of about 4.3 billion IP addresses. This issue encouraged the development of IPv6. IPv6 was officially created in 1998. In an IPv6 network the addresses are much larger, 128-bit addresses that look like this:
2001:0db8:85a3:0042:1000:8a2e:0370:7334
It is important to note that the difference between IPv4 and IPv6 isn't just a larger address pool. IPv6 has many other advanced features that address some of the limitations of IPv4, including better speed, more advanced package management and more efficient data transportation. However, the majority of network-attached devices in the world still use IPv4 (something like 98–99% of all devices).
So, why hasn't the world embraced the superior technology of IPv6?
There are primarily two reasons:
- NAT: Invented to overcome the possibility of running out of IP addresses in an IPv4 environment, Net Address Translation (NAT) used a technique to provide more hosts access to the Internet. In a nutshell, a group of hosts is placed into a private network with no direct access to the Internet; a special router provides Internet access, and only this one router needs an IP address to communicate on the Internet. In other words, a group of hosts shares a single IP address, meaning a lot more computers can attach to the Internet. This feature means the need to move to IPv6 is less critical than before the invention of NAT.
- Porting: Porting is switching over from one technology to another. IPv6 has a lot of great new features, but all of the hosts need to be able to utilize these features. Getting everyone on the Internet (or even just some) to make these changes poses a challenge.
Ports
A port is a unique number that is associated with a service provided by a host.
Well-known ports are the port numbers in the range of 0–1023, typically used by system processes to provide network services. A list of service names and associated port numbers can be found in the /etc/services file.
nano /etc/services
Domain Name System (DNS)
When a computer is asked to access a website, such as www.example.com, it does not necessarily know what IP address to use. For the computer to associate an IP address with the URL or hostname request, the computer relies upon the DNS service of another computer. Often, the IP address of the DNS server is discovered during the DHCP request, while a computer is receiving important addressing information to communicate on the network.
The address of the DNS server is stored in the /etc/resolv.conf file. A typical /etc/resolv.conf file is automatically generated and looks like the following:
# Proxmox VE on Debian
root@pve:~# cat /etc/resolv.conf
search szs.space
nameserver 172.16.1.1
# Ubuntu Server 20.04
user@ubuntu:~# cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
The host command works with DNS to associate a hostname with an IP address.
host szs.space
szs.space has address 185.218.64.95
szs.space mail is handled by 30 mx.szs.space.
host 185.218.64.95
95.64.218.185.in-addr.arpa domain name pointer home-unl-ip95-Ruse.networx-bg.com.
Network Configuration Files
Name resolution on a Linux host is accomplished by 3 critical files: the /etc/hosts, /etc/resolv.conf and /etc/nsswitch.conf files. Together, they describe the location of name service information, the order in which to check resources, and where to go for that information.
| Files | Explanation |
|---|---|
/etc/hosts
|
This file contains a table of hostnames to IP addresses. It can be used to supplement a DNS server. $ cat /etc/hosts
127.0.1.1 szs
127.0.0.1 localhost szs
…and number of other IPv4 and IPv6 entries. |
/etc/resolv.conf
|
This file contains the IP addresses of the name servers the system should consult in any attempt to resolve names to IP addresses. These servers are often DNS servers. It also can contain additional keywords and values that can affect the resolution process. $ cat /etc/resolv.conf
nameserver 10.0.2.3
nameserver 10.0.2.4
It should contain at least two entries for name servers. The DNS resolution system will use the first name server for an attempted lookup of the name. If that is unavailable, or a timeout period is reached, the second server will then be queried for the name resolution. |
/etc/nsswitch.conf
|
This file can be used to modify where hostname lookups occur. It contains a particular entry that describes in what order name resolution sources are consulted. $ cat /etc/nsswitch.conf
...
hosts: files dns
...
The above entry means: The |
Two other keywords may appear in the system’s /etc/resolv.conf file. They are routinely included in default /etc/resolv.conf files and so we include explanations of these terms below:
domain
|
Followed by a qualified domain, such as snowblower.example.com, allows the query for the host polaris to be tried both just as the host polaris, or failing that, appending the rest of the domain name to it and hopefully having it resolved by the server as that name (e.g. polaris.snowblower.example.com.).
|
search
|
Followed by a set of separate domains which can be queried one after the other hopefully to resolve the name. |
Network Tools
There are several commands that you can use to view network information. These tools can also be useful when you are troubleshooting network issues.
The ifconfig command
The ifconfig command stands for interface configuration and is used to display network configuration information. The command can be used to modify the network settings temporarily – to do the changes persistent you must change the configuration files of the network manager in use.
The ip command
The nowadays versions of Debian and Ubuntu comes wit the command ip by default, ifconfig could be installed but it is deprecated. To get an output similar to ifconfig (without any options) we can use ip a or ip addr show.
The ip command has increased functionality and set of options, it can almost be a one-stop shop for configuration and control of a system’s networking. The format for the ip command is as follows:
ip [OPTIONS] OBJECT COMMAND
The ip command branches out to do some of the work of several other legacy commands such as route and arp.
See also: TechMint: 10 Useful “IP” Commands to Configure Network Interfaces.
The route command
Recall that a router (or gateway) is a machine that allows hosts from one network to communicate with another network. To view a table that describes where network packages are sent, use the route command:
user@ubuntu:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 0 0 0 enp6s18
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp6s18
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
Display this information with numeric data only, by using the -n option to the route command.
user@ubuntu:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.1.1 0.0.0.0 UG 0 0 0 enp6s18
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp6s18
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
The route command is becoming obsolete in some Linux distributions (deprecated) and is being replaced with a form of the ip command, specifically ip route or ip route show. Note that the same information highlighted above can also be found using this command:
user@ubuntu:~$ ip route
default via 172.16.1.1 dev enp6s18 proto static
172.16.1.0/24 dev enp6s18 proto kernel scope link src 172.16.1.201
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
The ping command
The ping command can be used to determine if another machine is reachable.
user@ubuntu:~$ ping 192.168.1.100
To limit how many pings to send, use the -c option followed by a number indicating how many iterations you desire.
user@ubuntu:~$ ping -c 4192.168.1.100
It is important to note that just because the ping command fails does not mean that the remote system is unreachable. Some administrators configure their machines (and even entire networks!) to not respond to ping requests because a server can be attacked by something called a denial of service attack. In this sort of attack, a server is overwhelmed by a massive number of network packets. By ignoring ping requests, the server is less vulnerable.
Many administrators use the ping command with a hostname, and if that fails then use the IP address to see if the fault is in resolving the device’s hostname. Using the hostname first saves time; if that ping command is successful, there is proper name resolution, and the IP address is functioning correctly as well.
The netstat command
The netstat command is a powerful tool that provides a large amount of network information. It can be used to display information about network connections as well as display the routing table similar to the route command.
For example, to display statistics regarding network traffic, use the -i option to the netstat command:
netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 13539 0 20 0 2460 0 0 0 BMRU
lo 65536 1368 0 0 0 1368 0 0 0 LRU
The most important statistics from the output above are the TX-OK and TX-ERR. A high percentage of TX-ERR may indicate a problem on the network, such as too much network traffic.
To use the netstat command to display routing information, use the -r option:
netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default host-185-143-18 0.0.0.0 UG 0 0 0 eth0
185.143.189.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
The netstat command is also commonly used to display open ports. A port is a unique number that is associated with a service provided by a host. If the port is open, then the service is available for other hosts. To see a list of all currently open ports, use the following command:
netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
The -t option to the netstat command limits the listing to TCP ports; the -l option limits the output to ports with listening services; the -n shows the network addresses numerically.
While no further development is being done on the netstat command, it is still an excellent tool for displaying network information. The goal is to eventually replace the netstat command with commands such as the ss and ip commands. However, it is important to realize that this may take some time.
Commonly used options.
netstat -tln
netstat -tuln
netstat -tnupa
netstat -penaut
netstat -pnat
The ifstat command
ifstat – report InterFace STATistics – it is a little tool to report interface activity, just like iostat/vmstat do for other system statistics.
sudo apt install ifstat
ifstat [-a] [-l] [-z] [-n] [-v] [-h] [-t] [-i if0,if1,...] [-d drv[:opt]] [-s
[comm@][#]host[/nn]] [-T] [-A] [-w] [-W] [-S] [-b] [-q] [delay[/delay] [count]]
sudo ifstat -t
Time enp6s18 docker0 br-7924d7f73888 vethf21c018 veth124914d vetha6d5f6c
HH:MM:SS KB/s in KB/s out KB/s in KB/s out KB/s in KB/s out KB/s in KB/s out KB/s in KB/s out KB/s in KB/s out
21:38:04 2.32 7.15 20.37 17.56 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
21:38:05 0.12 0.22 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
21:38:06 1.97 5.43 0.00 0.00 0.16 0.95 0.00 0.08 0.00 0.08 0.22 0.95
21:38:07 28.06 1037.76 0.00 0.00 1013.09 18.08 0.54 1.63 0.00 0.08 1016.72 18.57
21:38:08 10.55 825.46 0.00 0.00 820.37 7.55 3.93 2.76 0.00 0.00 824.55 11.48
The lsof command
Test which service at which port listens to (similar to netstat ‑tuln):
sudo lsof -i -n -P
sudo lsof -i -n -P +c 0
sudo lsof -i -n -P +c 0 | grep ':80\|:443'
sudo lsof -i -n -P | grep www-data
See also the following answers for practical usage of lsof:
- Ask Ubuntu: How to netstat/lsof and kill pid of the program to make server working?
- Ask Ubuntu: How to remove application in ufw app list Available applications?
- Ask Ubuntu: SSH connection through port 443 fails
The nmap command
The command nmap is Linux command-line tool for network exploration and security auditing. This tool is generally used by hackers and cybersecurity enthusiasts and even by network and system administrators. It is used for the following purposes:
- Real time information of a network
- Detailed information of all the IPs activated on your network
- Number of ports open in a network
- Provide the list of live hosts
- Port, OS and Host scanning
nmap -h # get help and examples
nmap www.geeksforgeeks.org # basic usage
nmap -p22 www.geeksforgeeks.org # basic usage with certain port
nmap -p80-82 www.geeksforgeeks.org # basic usage with port range
nmap -p U:53,111,137,T:21-25,80,139,8080,S:9 www.geeksforgeeks.org
nmap -sT 77.77.77.70
nmap --script vuln 77.77.77.70
Find all IPv4 addresses in the LAN:
nmap -sn 192.168.100.0/24
Scan for open ports at certain IPv4 address:
sudo nmap -p 1-20000 192.168.100.110
See also:
- NetworkChuck at YouTube: Let's hack your home network
- Ask Ubuntu: How to find all the used IP addresses on a network
- Ask Ubuntu: Is it possible to perform port scanning of the local host itself as another host?
The ss command
The ss command is designed to show socket statistics and supports all the major packet and socket types. Meant to be a replacement for and to be similar in function to the netstat command, it also shows a lot more information and has more features.
The main reason a user would use the ss command is to view what connections are currently established between their local machine and remote machines, statistics about those connections, etc.
Similar to the netstat command, you can get a great deal of useful information from the ss command just by itself as shown in the example below.
ss
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 * 104741 * 104740
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 14623 * 14606
u_str ESTAB 0 0 /var/run/dbus/system_bus_socket 13582 * 13581
...
The output is very similar to the output of the netstat command with no options. The columns above are:
Netid
|
The socket type and transport protocol |
State
|
Connected or Unconnected, depending on protocol |
Recv‑Q
|
Amount of data queued up for being processed having been received |
Send‑Q
|
Amount of data queued up for being sent to another host |
Local Address
|
The address and port of the local host’s portion of the connection |
Peer Address
|
The address and port of the remote host’s portion of the connection |
The format of the output of the ss command can change dramatically, given the options specified, such as the use of the -s option, which displays mostly the types of sockets, statistics about their existence and numbers of actual packets sent and received via each socket type, as shown below:
ss -s
Total: 1000 (kernel 0)
TCP: 7 (estab 0, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 0
Transport Total IP IPv6
* 0 - -
RAW 0 0 0
UDP 9 6 3
TCP 7 3 4
INET 16 9 7
FRAG 0 0 0
sudo ss -ltpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 1 127.0.0.1:52400 0.0.0.0:* users:(("autossh",pid=1141240,fd=3))
LISTEN 0 1 127.0.0.1:52944 0.0.0.0:* users:(("autossh",pid=1141206,fd=3))
LISTEN 0 1024 127.0.0.1:6800 0.0.0.0:* users:(("aria2c",pid=21787,fd=5))
LISTEN 0 1 127.0.0.1:56337 0.0.0.0:* users:(("autossh",pid=1141044,fd=3))
LISTEN 0 65535 0.0.0.0:8081 0.0.0.0:* users:(("docker-proxy",pid=8859,fd=4))
LISTEN 0 65535 0.0.0.0:8082 0.0.0.0:* users:(("docker-proxy",pid=9062,fd=4))
...
The dig command
The dig command stands for Domain Information Groper. It is used for retrieving information about DNS name servers. It is basically used by network administrators. It is used for verifying and troubleshooting DNS problems and to perform DNS lookups. Dig command replaces older tools such as nslookup and the host.
dig [@global-server] [domain] [q-type] [q-class] {q-opt}
dig -h
There may be times when you need to test the functionality of the DNS server that your host is using. One way of doing this is to use the dig command, which performs queries on the DNS server to determine if the information needed is available on the server.
dig geeksforgeeks.org # get verbose information
dig geeksforgeeks.org +short # get essential information only IP in this case
dig geeksforgeeks.org TXT +short # get only the TXT records
dig _acme-challenge.example.com TXT +short # get certain TXT record
If the DNS server doesn't have the requested information, it is configured to ask other DNS servers. If none of them have the requested information, an error message displays. Here is how to test the data cached for a target host by a certain DNS:
dig @ns1.domain.com metalevel.tech +short
See also: DigitalOcean Docs: Retrieve DNS Information Using Dig
The host command
In its simplest form, the host command works with DNS to associate a hostname with an IP address. As used in a previous example, example.com is associated with the IP address of 192.168.1.2:
host example.com
example.com has address 192.168.1.2
The host command can also be used in reverse if an IP address is known, but the domain name is not.
host 192.168.1.2
2.1.168.192.in-addr.arpa domain name pointer example.com.
2.1.168.192.in-addr.arpa domain name pointer cserver.example.com.
Other options exist to query the various aspects of a DNS such as a CNAME canonical name ‑alias:
host -t CNAME example.com
example.com has no CNAME record
Since many DNS servers store a copy of example.com, SOA Start of Authority records indicate the primary server for the domain:
host -t SOA example.com
example.com has SOA record example.com. cserver.example.com. 2 604800 86400 2419200 604800
A comprehensive list of DNS information regarding example.com can be found using the -a all option:
host -a example.com
Trying "example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3549
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com. IN ANY
;; ANSWER SECTION:
example.com. 86400 IN SOA example.com. cserver.example.com. 2 604800 86400 2419200 604800
example.com. 86400 IN NS example.com.
example.com. 86400 IN A 192.168.1.2
;; ADDITIONAL SECTION:
example.com. 86400 IN A 192.168.1.2
Received 119 bytes from 127.0.0.1#53 in 0 ms
The ssh command
The ssh command allows you to connect to another machine across the network, log in and then perform tasks on the remote machine.
If you only provide a machine name or IP address to log into, the ssh command assumes you want to log in using the same username that you are currently logged in as. To use a different username, use the syntax:
ssh username@hostname # type `exit` to close the connection
When using the ssh command, the first prompt asks you to verify the identity of the machine you are logging into. In most cases, you are going to want to answer yes. While you can check with the administrator of the remote machine to make sure that the RSA key fingerprint is correct, this isn't the purpose of this query. It is designed for future login attempts.
After you answer yes, the RSA key fingerprint of the remote machine is stored on your local system. When you attempt to ssh to this same machine in the future, the RSA key fingerprint provided by the remote machine is compared to the copy stored on the local machine. If they match, then the username prompt appears. If they don't match, an error is sisplayed.
This error could indicate that a rogue host has replaced the correct host. Check with the administrator of the remote system. If the system were recently reinstalled, it would have a new RSA key, and that would be causing this error.
In the event that this error message is due to a remote machine reinstall, you can remove the ~/.ssh/known_hosts file from your local system (or just remove the entry for that one machine) and try to connect again.
