Chapter Nine

Networking

How a packet moves from the wire to a process, how you configure and persist addressing and routes, and the four tools you reach for when someone says "the network is down."

7 topics

Most "the network is broken" incidents are one of four things wearing a disguise: a DNS lookup failing, a missing or wrong route, a firewall dropping the packet, or a service bound to the wrong address. This chapter takes the path a packet travels — NIC, kernel stack, socket, process — and gives you the tool that isolates each layer, so you stop guessing and start localizing.

It leads with the modern iproute2 toolset (ip, ss) rather than the deprecated net-tools (ifconfig, netstat), and with the Debian/Ubuntu configuration backends — Netplan, systemd-networkd, systemd-resolved, ufw, and nftables — noting the Red Hat equivalents where they diverge. By the end you can configure an interface that survives a reboot, read a routing table, see exactly what is listening and who owns it, build a default-deny firewall without locking yourself out, and run SSH the way a server admin should.

The path of a packet

NICframe arrives

→

Kernel stackroute + netfilter

→

Socketdemux to a port

→

Processread()

Topics in This Chapter

The Network Stack

The layers a request crosses — NIC and driver, the kernel TCP/IP stack, sockets, and userspace — and where netfilter hooks in. Knowing the layer tells you which tool to reach for, and why iproute2 replaced net-tools.

Interfaces and Addressing

Managing interfaces and addresses with ip, CIDR fluency, and static versus DHCP on a server. The part that bites is persistence — Netplan, systemd-networkd, or NetworkManager, not a runtime-only ip addr add that vanishes on reboot.

AddressingConfig

The kernel matches each destination to the most specific route, falling back to the default gateway. ip route get shows the route it will pick; traceroute and mtr show the actual hop-by-hop path when one fails.

RoutingDiagnostics

The resolution path through nsswitch.conf, /etc/hosts, /etc/resolv.conf, and the local 127.0.0.53 stub. The classic trap: hand-editing a resolv.conf that systemd-resolved owns as a symlink and overwrites on the next event.

Sockets and Ports

A socket is an endpoint identified by IP and port; ss -tlnp shows what is listening and which process owns it. The single most common "works locally, not remotely" cause is a service bound to 127.0.0.1 instead of 0.0.0.0.

Netfilter is the kernel's packet filter; nftables is the modern front-end, iptables the one people still think in, and ufw/firewalld the wrappers. A host firewall is default-deny inbound with explicit allows — and the rules must survive reboot.

FirewallNetfilter

The encrypted remote-access protocol every admin lives in: shell, file transfer, port forwarding, and key-based auth. Getting keys, ~/.ssh/config with ProxyJump, and the agent right is the difference between frictionless and password-prompt-hell.

Remote AccessAuth