Module 5: Network Configuration and Troubleshooting

Learning Objectives

By the end of this module, you will be able to:

1. Network Configuration Tools

The ip Command Suite

The ip command is part of the iproute2 package and has largely replaced older utilities like ifconfig, route, and arp. It provides a unified interface for network configuration.

Under the Hood: The ip command communicates with the kernel's networking stack through Netlink sockets, allowing efficient configuration of network parameters directly in the kernel.

Viewing network interfaces:

ip link show

Configuring IP addresses:

ip address add 192.168.1.10/24 dev eth0

Examining routing:

ip route show

Bringing interfaces up/down:

ip link set eth0 up
ip link set eth0 down

NetworkManager and nmcli

NetworkManager is a daemon that manages network connections and automatically configures network interfaces, especially useful for desktop systems and laptops.

Under the Hood: NetworkManager maintains profiles for different connections and manages network configuration by interacting with lower-level components like wpa_supplicant and the kernel's networking stack.

Viewing connections:

nmcli connection show

Creating a new connection:

nmcli connection add type ethernet con-name "Office-Net" ifname eth0 ipv4.addresses 192.168.1.100/24 ipv4.gateway 192.168.1.1

Connecting to a wireless network:

nmcli device wifi connect "MyWiFi" password "mysecretpassword"

Netplan (Ubuntu-specific)

Netplan is a YAML-based network configuration utility introduced in Ubuntu 18.04. It acts as an abstraction layer above other network implementations.

Under the Hood: Netplan reads configuration files from /etc/netplan/*.yaml, generates the appropriate configuration for either NetworkManager or systemd-networkd, and applies it to the system.

Example Netplan configuration:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens33:
      addresses:
        - 192.168.1.100/24
      gateway4: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]

To apply the configuration:

sudo netplan apply

2. Network Diagnostics

Basic Connectivity Testing with ping

The ping utility sends ICMP Echo Request packets to a target host and waits for replies.

Under the Hood: Ping creates an ICMP packet (type 8 for echo request) and sends it to the destination, which replies with an ICMP Echo Reply (type 0). The round-trip time is calculated based on timestamps.

ping -c 4 google.com

Tracing Network Paths with traceroute

Under the Hood: Traceroute sends packets with increasingly higher TTL values. Each router decrements the TTL and returns an ICMP "Time Exceeded" message when the TTL reaches zero, revealing each hop in the path.

traceroute google.com

Socket Statistics with ss

Under the Hood: The ss command queries the kernel’s socket information directly via Netlink sockets, providing detailed information about active connections and listening ports.

ss -tuln

Port Scanning with nmap

Under the Hood: Nmap sends specially crafted packets to target hosts and analyzes the responses to discover hosts, open ports, and services.

nmap -A 192.168.1.1

3. Firewall Configuration

iptables - The Classic Linux Firewall

Under the Hood: iptables interfaces with the kernel’s netfilter framework. It organizes rules into chains and tables, processing each rule sequentially to determine the action (ACCEPT, DROP, etc.) for each packet.

# List current rules
sudo iptables -L

# Allow SSH connections
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Block a specific IP address
sudo iptables -A INPUT -s 192.168.1.5 -j DROP

# Save rules for persistence
sudo iptables-save > /etc/iptables/rules.v4

ufw - Uncomplicated Firewall

ufw provides a simplified interface to iptables, making firewall management more accessible.

Under the Hood: ufw translates simple commands into iptables rules and stores its configurations in /etc/ufw/.

sudo ufw enable
sudo ufw allow ssh
sudo ufw allow 8080/tcp
sudo ufw status verbose

firewalld - Dynamic Firewall Manager

Under the Hood: firewalld uses zones to manage firewall rules dynamically, communicating via D-Bus. It can change rules on the fly without disrupting active connections.

sudo firewall-cmd --state
sudo firewall-cmd --list-all-zones
sudo firewall-cmd --add-service=http
sudo firewall-cmd --runtime-to-permanent

4. DNS Configuration

DNS Client Configuration

The resolver configuration in /etc/resolv.conf specifies DNS servers and search domains used by the system.

nameserver 8.8.8.8
nameserver 8.8.4.4
search example.com

Using systemd-resolved:

resolvectl status
sudo resolvectl dns ens33 8.8.8.8 8.8.4.4

Using NetworkManager:

sudo nmcli connection modify "My Connection" ipv4.dns "8.8.8.8 8.8.4.4"

DNS Server Configuration with BIND

BIND is a widely used DNS server software. It listens on port 53 and uses zone files to map domain names to IP addresses.

sudo apt install bind9

Example caching nameserver configuration in /etc/bind/named.conf:

options {
    directory "/var/cache/bind";
    forwarders {
        8.8.8.8;
        8.8.4.4;
    };
    allow-query { localhost; 192.168.1.0/24; };
    recursion yes;
};

Example authoritative zone declaration in /etc/bind/named.conf.local:

zone "example.com" {
    type master;
    file "/etc/bind/zones/db.example.com";
};

Example zone file:

$TTL    86400
@       IN      SOA     ns1.example.com. admin.example.com. (
                        2023082201      ; Serial
                        3600            ; Refresh
                        1800            ; Retry
                        604800          ; Expire
                        86400 )         ; Negative Cache TTL
;
@       IN      NS      ns1.example.com.
@       IN      A       192.168.1.10
www     IN      A       192.168.1.10
mail    IN      A       192.168.1.20

Restart BIND to apply changes:

sudo systemctl restart bind9

5. Network Interfaces and IP Addressing

Interface Types and Naming

Linux supports various interface types:

Under the Hood: Predictable Network Interface Names (like enp3s0) are derived from the device’s physical location to ensure consistent naming across reboots.

IP Address Configuration

IP addresses can be configured statically or obtained dynamically via DHCP.

Static configuration with ip:

sudo ip address add 192.168.1.100/24 dev eth0
sudo ip route add default via 192.168.1.1

Dynamic configuration with dhclient:

sudo dhclient eth0

Understanding Network Masks and CIDR Notation

Network masks define which portion of an IP address identifies the network and which identifies the host.

Under the Hood: In IPv4, the subnet mask (e.g., 255.255.255.0) and CIDR notation (e.g., /24) determine the network and host portions.

6. Troubleshooting Network Connectivity Issues

The OSI Troubleshooting Methodology

When facing network issues, work through these layers:

  1. Physical Layer: Check cables, link lights, and connections
  2. Data Link Layer: Verify MAC addresses and link status
  3. Network Layer: Check IP configuration, routing, and firewall rules
  4. Transport Layer: Verify port availability and service status
  5. Application Layer: Check application configurations and logs

Common Network Issues and Solutions

Link-Level Problems

Symptoms: Interface shows "NO-CARRIER", cannot ping even the default gateway.

Diagnosis:

ip link show eth0
ethtool eth0

Solutions: Check physical connection, replace cable, verify switch port, and inspect interface errors via dmesg.

IP Configuration Problems

Symptoms: Cannot reach hosts beyond local network, "Network is unreachable" errors.

Diagnosis:

ip addr show
ip route show

Solutions: Verify IP address and default gateway configuration.

DNS Resolution Issues

Symptoms: Able to ping IPs but not resolve domain names, "Unknown host" errors.

Diagnosis:

cat /etc/resolv.conf
dig google.com
host google.com

Solutions: Configure proper DNS servers and check firewall rules blocking port 53.

Firewall Blocking

Symptoms: Service running but not accessible from remote hosts.

Diagnosis:

sudo iptables -L -n
ss -tulpn | grep <port>

Solutions: Allow traffic on required ports and verify application-specific firewall settings.

7. Hands-on Exercises

Exercise 1: Network Interface Configuration

Scenario: Configure an ethernet interface with static IP settings and verify connectivity.

Implementation using ip command:

# Configure interface
sudo ip addr add 192.168.1.100/24 dev eth0
sudo ip link set eth0 up
sudo ip route add default via 192.168.1.1

# Configure DNS (temporary)
echo "nameserver 8.8.8.8
nameserver 8.8.4.4" | sudo tee /etc/resolv.conf

# Verify configuration
ip addr show eth0
ip route show

# Test connectivity
ping -c 4 192.168.1.1
ping -c 4 8.8.8.8
ping -c 4 google.com

Implementation using NetworkManager:

sudo nmcli con add type ethernet con-name "Static-Connection" ifname eth0 \
  ipv4.method manual ipv4.addresses 192.168.1.100/24 \
  ipv4.gateway 192.168.1.1 ipv4.dns "8.8.8.8 8.8.4.4"
sudo nmcli con up "Static-Connection"

Exercise 2: Diagnosing and Resolving DNS Issues

Scenario: A server can connect to IP addresses but cannot resolve domain names.

# Check current DNS configuration
cat /etc/resolv.conf

# Test DNS resolution
dig google.com
host amazon.com

# Test with an explicit DNS server
dig @8.8.8.8 google.com

# Check firewall rules for DNS
sudo ss -tuln | grep 53

# Configure DNS settings (temporary)
echo "nameserver 8.8.8.8
nameserver 8.8.4.4" | sudo tee /etc/resolv.conf

# Using systemd-resolved
sudo resolvectl dns eth0 8.8.8.8 8.8.4.4

# With NetworkManager
sudo nmcli con mod "Your-Connection" ipv4.dns "8.8.8.8 8.8.4.4"
sudo nmcli con up "Your-Connection"

# Verify DNS resolution
ping -c 4 google.com
dig yahoo.com

Exercise 3: Firewall Configuration for a Web Server

Scenario: Configure a firewall to secure a web server while allowing necessary traffic.

Using ufw:

# Reset ufw to default state
sudo ufw reset

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH, HTTP, and HTTPS
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

# Enable ufw
sudo ufw enable

# Verify configuration
sudo ufw status verbose

Using iptables:

# Clear existing rules
sudo iptables -F
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# Allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow loopback interface
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow SSH, HTTP, and HTTPS
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Save rules for persistence
sudo apt install iptables-persistent
sudo bash -c 'iptables-save > /etc/iptables/rules.v4'

8. Common Pitfalls and Troubleshooting Tips

Network Configuration Persistence

Pitfall: Settings configured with the ip command don't persist after reboot.

Solution: Use NetworkManager, Netplan, or distribution-specific methods for persistent configuration.

Forgotten Firewall Rules

Pitfall: Services appear down because firewall rules block access.

Solution: Check firewall status using:

sudo iptables -L
sudo ufw status
sudo firewall-cmd --list-all

Temporarily disable the firewall to isolate the issue.

DNS Resolver Overwritten

Pitfall: DNS settings get overwritten by DHCP or network management tools.

Solution: Configure DNS settings as immutable in NetworkManager or use systemd-resolved overrides.

Virtual Machine Network Issues

Pitfall: VMs have specific network requirements that differ from physical machines.

Solution: Verify virtualization platform settings (NAT, Bridged, Host-only) and ensure VM interface configurations match those requirements.

MTU Mismatches

Pitfall: Incorrect MTU settings cause packet fragmentation or drops.

ip link show eth0 | grep mtu
ping -c 4 -M do -s 1472 google.com
sudo ip link set eth0 mtu 1500

Overlooking IPv6

Pitfall: Ignoring IPv6 issues while IPv6 connectivity problems affect applications.

ip -6 addr show
ip -6 route show
ping6 -c 4 ipv6.google.com

Configure IPv6 properly or disable it if unnecessary.

9. Quick Reference Summary

Network Configuration

Task Command
View interfaces ip link show
Show IP addresses ip addr show
Add IP address ip addr add 192.168.1.100/24 dev eth0
Set interface up/down ip link set eth0 up
Add default route ip route add default via 192.168.1.1
Show NetworkManager connections nmcli connection show
Apply Netplan config sudo netplan apply

Diagnostic Tools

Tool Purpose Example
ping Test connectivity ping -c 4 google.com
traceroute Trace packet path traceroute google.com
ss Show socket statistics ss -tuln
dig Query DNS servers dig google.com
nmap Scan network ports nmap -A 192.168.1.1

Firewall Management

Firewall Action Command
iptables List rules sudo iptables -L
iptables Allow port sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
ufw Enable firewall sudo ufw enable
ufw Allow service sudo ufw allow http
firewalld List zones sudo firewall-cmd --list-all-zones
firewalld Add service sudo firewall-cmd --add-service=http

Troubleshooting Steps

  1. Check physical connectivity (ip link, ethtool).
  2. Verify IP configuration (ip addr, ip route).
  3. Test local connectivity (ping gateway-ip).
  4. Test internet connectivity (ping 8.8.8.8).
  5. Check DNS resolution (dig domain.com).
  6. Verify firewall rules (iptables -L, ufw status).
  7. Check service status (ss -tulpn).
  8. Analyze system logs (journalctl, /var/log/syslog).

With this comprehensive understanding of Linux network configuration and troubleshooting, you're well-equipped to diagnose and resolve common networking issues in Linux environments. A systematic methodology and solid grasp of underlying principles are your best tools for effective troubleshooting.