Production Reference

Linux Networking Cheatsheet

Operational reference for the Linux networking toolkit. Sockets, routes, firewalls (iptables/nftables), packet capture (tcpdump), TLS debugging (openssl), and the eBPF-era diagnostics for the moments a connection just will not establish.

Command-firstProduction notesSecurity warningsHardened patterns

Inspecting interfaces, addresses, routes

5 commands

ip a / ip addr show

Show all interfaces and their addresses. Modern replacement for ifconfig.

Production note: On Kubernetes nodes, look for veth* (pod), cni0/flannel.1 (CNI), eth0 (host).

ip r / ip route show

Show the kernel routing table.

Production note: On a misbehaving pod, compare to a healthy pod's routes — CNI mistakes often show up here.

ip -s link show <iface>

Per-interface byte/packet counters and error stats.

Production note: Drops climbing on an interface = MTU mismatch, NIC saturation, or buffer issue.

ip neigh / ip n

ARP / neighbor table. Stale entries cause "destination unreachable" symptoms.

Production note: Force refresh with `ip neigh flush all` if you suspect ARP poisoning or stale entries after a node move.

ip netns list

List network namespaces. Each Kubernetes pod runs in its own.

Production note: Enter a pod's netns from the node: `nsenter -t <PID> -n <command>`.

Sockets and listening ports

4 commands

ss -tlnp

TCP listening sockets with the owning process. -t TCP, -l listening, -n numeric, -p process.

Production note: Modern replacement for `netstat -tlnp`. Faster and shows more detail.

ss -tunap

All TCP+UDP sockets including established connections.

Production note: Look at Recv-Q / Send-Q columns to spot backlog.

ss -t state established '( dport = :443 )'

Filter sockets by state and port. Useful when investigating TLS connection counts.

Production note: ss filters are more powerful than grep — fewer false positives in port-number matches.

lsof -i :443

Which process is listening on a port. Falls back when ss output is overwhelming.

Production note: Pair with `lsof -p <pid>` to see all of a process's open files and sockets.

Connectivity testing

5 commands

curl -v https://example.com

Verbose HTTPS request. Shows DNS, connect, TLS handshake, request, response.

Production note: Add --resolve example.com:443:1.2.3.4 to bypass DNS for testing a specific origin.

curl --connect-timeout 5 -o /dev/null -s -w "%{http_code} %{time_total}\n" URL

Latency and status without body. Loop with watch for SLO-style probing.

Production note: Combine with `-o /dev/null --write-out "%{ssl_verify_result} %{remote_ip} %{time_namelookup} %{time_connect} %{time_starttransfer}"` for full timing breakdown.

nc -zv host port / ncat -zv host port

TCP connect test. -z just probes, -v reports outcome.

Production note: Use to differentiate "DNS works but port is blocked" from "DNS is broken".

mtr -rwn host (or traceroute -T -p 443 host)

Path-by-path latency and loss. -T uses TCP (passes most firewalls vs ICMP).

Production note: Run from both endpoints — asymmetric paths and loss show up immediately.

dig +trace example.com / dig @8.8.8.8 example.com

DNS resolution path. +trace walks from root to authoritative.

Production note: `dig +short TXT _dmarc.example.com` for DMARC, etc. Always specify the resolver in incident debugging.

Packet capture and analysis (tcpdump)

4 commands

tcpdump -i any -nn -s0 -w cap.pcap port 443

Capture full-length packets on any interface. -nn suppresses name resolution; -s0 grabs full packet (essential for TLS analysis).

Warning: Captures contain plaintext for non-TLS traffic. Treat capture files as sensitive — store on encrypted volumes, scrub before sharing.

tcpdump -i eth0 -nn host 1.2.3.4 and port 443

Filter by host and port. tcpdump's BPF filter language is concise.

Production note: Common filters: `tcp[tcpflags] & (tcp-syn|tcp-fin) != 0` (connection setup/teardown), `not port 22` (skip SSH noise).

tcpdump -i any -A -nn port 80

ASCII dump of packets — readable for plaintext HTTP debugging.

Warning: Body content is in capture; never run on a production interface carrying customer data without explicit authorization.

tshark -i any -Y "http.response.code >= 500" -T fields -e ip.src -e http.host

CLI Wireshark with display filter. Grep-like for packet streams.

Production note: tshark is great in CI / scripts. For interactive analysis, capture with tcpdump and open the pcap in Wireshark GUI.

TLS debugging (openssl)

5 commands

openssl s_client -connect example.com:443 -servername example.com

Open a TLS session and dump the cert chain. -servername sends SNI (required for most modern hosts).

Production note: Add -showcerts to print the entire chain in PEM. Pipe to `openssl x509 -text -noout` to inspect each cert.

openssl x509 -in cert.pem -noout -dates -subject -issuer

Parse a certificate file. Check expiry, subject, issuer in one line.

Production note: Add `-ext subjectAltName` to see SANs — vital for debugging "cert valid for X but I requested Y" errors.

openssl verify -CAfile chain.pem cert.pem

Verify a cert against a CA bundle.

Production note: When a system trust store complains, use this to isolate "is the cert + chain self-consistent" from "does this OS trust the issuing CA".

curl --cacert chain.pem -v https://example.com

Test with a custom CA bundle without modifying system stores.

Production note: Quick way to validate an internal CA before deploying it to nodes / containers.

openssl s_client -connect host:443 -tls1_2 / -tls1_3

Force a specific TLS version. Useful for negotiating with legacy peers.

Warning: TLS 1.0 and 1.1 are deprecated and should be disabled in production. Use this only for debugging legacy systems.

Firewall: iptables / nftables

5 commands

iptables -L -n -v --line-numbers

List all chains with packet counters and line numbers. Counters help identify which rules are actually being hit.

Production note: On modern distros, prefer nftables (`nft list ruleset`). iptables-nft preserves the iptables CLI on top of nftables.

iptables -t nat -L -n

NAT table — DNAT/SNAT rules. Critical for understanding Kubernetes service routing.

Production note: On Kubernetes nodes, `iptables -t nat -L KUBE-SERVICES -n` shows how kube-proxy maps Service IPs to pod IPs.

iptables -A INPUT -p tcp --dport 22 -j DROP

Drop incoming SSH. Example of an explicit firewall rule.

Warning: Modifying iptables on a remote host can lock you out. Always test with `at` to schedule a rollback if connection is lost.

nft list ruleset

nftables — the modern Linux firewall framework.

Production note: nftables uses sets and maps for efficient rule matching at scale; iptables degrades linearly above a few hundred rules.

iptables-save / iptables-restore

Backup and restore the rule set. Always run iptables-save before making changes.

Production note: Persist rules with iptables-persistent (Debian/Ubuntu) or netfilter-persistent so they survive reboots.

eBPF-era observability

4 commands

ss --tcp-info

Per-connection TCP stats: RTT, retransmits, congestion window. eBPF-backed in modern kernels.

Production note: Spotting elevated retransmits or low cwnd points to packet loss or path MTU issues.

bpftrace -e 'kprobe:tcp_sendmsg { @[comm] = count(); }'

eBPF one-liner: count tcp_sendmsg calls per process. The "what is sending traffic" question, answered without restarting.

Production note: bpftool, BCC, and bpftrace are the modern observability stack — minimal overhead, no kernel modules.

tcpdrop (BCC tool)

Trace why TCP packets are being dropped at the kernel level. Essential when retransmits climb without a clear cause.

Production note: Part of the bcc-tools package. The whole bcc/ suite is gold for production debugging.

cilium hubble observe

Cilium's eBPF-based flow visibility — pod-to-pod traffic with policy decisions.

Production note: In Cilium-managed clusters, this replaces tcpdump for east-west traffic analysis.

Hardened patterns

Common misconfigurations

The unsafe pattern, the replacement, and the reason the two are not equivalent in production.

FIXReview

Risky

# Use ICMP ping for connectivity test
ping -c 3 example.com

Hardened

# TCP probe at the actual port
curl --connect-timeout 5 -o /dev/null -s -w "%{http_code}\n" https://example.com
# or
nc -zv example.com 443

Why it matters: ICMP is blocked by many firewalls and load balancers — a failing ping doesn't mean the service is down. Always probe the protocol your application uses, on the actual port.

FIXReview

Risky

# Capture only header (truncated)
tcpdump -i any -s 100 host 1.2.3.4

Hardened

# Capture full packets
tcpdump -i any -s 0 -w trace.pcap host 1.2.3.4
# (-s 0 means full packet length;
#  open in Wireshark for analysis)

Why it matters: -s 100 captures only 100 bytes per packet — enough for the TCP header but not the application payload. TLS handshakes, HTTP bodies, and DNS responses get truncated. Almost never what you want.

FIXReview

Risky

# Test cert expiry by visiting in browser
firefox https://api.example.com

Hardened

# Scriptable cert expiry check
echo | openssl s_client -connect api.example.com:443 -servername api.example.com 2>/dev/null \
  | openssl x509 -noout -enddate
# notAfter=Jul 15 23:59:59 2025 GMT

Why it matters: Browsers cache certs and may show stale data. The openssl s_client one-liner gives you the actual cert the server presents right now — the canonical answer for "when does this cert expire" and the right primitive for monitoring scripts.

Go deeper

LINKInternal