Linux Networking Tools
ip, iptables, ss, tcpdump, dig, and more — common patterns, flags, and gotchas
Network Stack
│
├── Interfaces & Routes → ip link, ip addr, ip route, ip neigh, ip rule
├── Firewalling → iptables / ip6tables, nft
├── Sockets → ss, netstat
├── Packet Analysis → tcpdump, tshark
├── DNS → dig, resolvectl, host, nslookup
├── Connectivity → ping, traceroute, mtr, nc, curl, nmap
└── Hardware / Wireless → ethtool, iw
Interfaces
ip link
Interfaces
ip addr
Routing
ip route
ARP / NDP
ip neigh
Policy Routing
ip rule
Firewall
iptables
Firewall
nft
Sockets
ss
Sockets
netstat
Packets
tcpdump
Packets
tshark
DNS
dig
DNS
resolvectl
Connectivity
ping
Connectivity
traceroute / mtr
Connectivity
nc
HTTP
curl
Scanning
nmap
Hardware
ethtool
Wireless
iw
Namespaces
ip netns
ip link
Interfaces
Manage network interfaces — show state, bring up/down, set MTU, rename, create virtual interfaces.
Common Commands
bash
# List all interfaces (brief) ip link show ip -br link show # brief: one line per interface ip -c link show # colorized output # Show a specific interface ip link show dev eth0 # Bring interface up/down ip link set eth0 up ip link set eth0 down # Set MTU ip link set eth0 mtu 9000 # Rename interface ip link set eth0 name lan0 # Create/delete a VLAN ip link add link eth0 name eth0.100 type vlan id 100 ip link delete eth0.100 # Create a veth pair (used in containers/netns) ip link add veth0 type veth peer name veth1 # Create a bridge ip link add br0 type bridge ip link set eth0 master br0
Key Fields in Output
| Field | Meaning |
|---|---|
UP | Interface is administratively up |
LOWER_UP | Physical link detected (cable connected) |
NO-CARRIER | Up but no physical link (unplugged) |
PROMISC | Promiscuous mode — receives all frames (e.g. tcpdump running) |
mtu | Maximum transmission unit in bytes |
qdisc | Queuing discipline (e.g. mq, noqueue, fq_codel) |
state | Operational state: UP, DOWN, UNKNOWN |
Note
ip link replaces the deprecated ifconfig. Use ip -s link show eth0 to see TX/RX statistics.
ip addr
Interfaces
Assign and inspect IP addresses on interfaces.
Common Commands
bash
# Show all addresses ip addr show ip -br addr show # brief one-liner per interface # Show addresses on a specific interface ip addr show dev eth0 # Add / remove an address ip addr add 192.168.1.10/24 dev eth0 ip addr del 192.168.1.10/24 dev eth0 # Add IPv6 address ip addr add 2001:db8::1/64 dev eth0 # Flush all addresses on an interface ip addr flush dev eth0 # Show only IPv4 or IPv6 ip -4 addr show ip -6 addr show
Address Scopes
| Scope | Meaning |
|---|---|
global | Reachable everywhere — standard routable address |
link | Valid only on the local link (e.g. 169.254.x.x, IPv6 link-local) |
host | Loopback — not sent to the wire |
ip route
Routing
View and manipulate the kernel routing table.
Common Commands
bash
# Show the main routing table ip route show ip route show table all # all routing tables # Which route would be used for a destination? ip route get 8.8.8.8 ip route get 192.168.1.1 # Add routes ip route add 10.0.0.0/8 via 192.168.1.1 ip route add 10.0.0.0/8 dev eth0 # on-link route ip route add default via 192.168.1.1 # default gateway # Delete a route ip route del 10.0.0.0/8 # Add a blackhole / unreachable route ip route add blackhole 203.0.113.0/24 ip route add unreachable 203.0.113.0/24 # Flush routing cache (older kernels) ip route flush cache
Route Types
| Type | Meaning |
|---|---|
unicast | Normal routed traffic (default) |
blackhole | Silently discard matching packets |
unreachable | Discard and return ICMP unreachable |
prohibit | Discard and return ICMP prohibited |
local | Delivered locally (loopback, virtual IPs) |
Routes are not persistent
Changes via
ip route survive only until the next reboot. Use /etc/network/interfaces, NetworkManager, or systemd-networkd for persistence.
ip neigh
ARP / NDP
View and manage the ARP cache (IPv4) and NDP neighbor cache (IPv6).
Common Commands
bash
# Show ARP/NDP table ip neigh show ip -4 neigh show # IPv4 only ip neigh show dev eth0 # Add a static ARP entry ip neigh add 192.168.1.5 lladdr aa:bb:cc:dd:ee:ff dev eth0 nud permanent # Delete an entry ip neigh del 192.168.1.5 dev eth0 # Flush stale entries ip neigh flush dev eth0
NUD States
| State | Meaning |
|---|---|
REACHABLE | Recently confirmed reachable |
STALE | Not confirmed recently — may still work |
DELAY | In probe delay before sending NUD probe |
PROBE | Actively probing reachability |
FAILED | Probe failed — host unreachable at L2 |
PERMANENT | Static entry — never expires |
ip rule
Policy Routing
Policy-based routing — select different routing tables based on source IP, mark, or interface.
Common Commands
bash
# Show routing policy rules ip rule show # Route traffic from 10.0.0.0/24 via table 100 ip rule add from 10.0.0.0/24 table 100 # Route traffic marked with 0x1 via table 200 ip rule add fwmark 0x1 table 200 # Add default route in table 100 ip route add default via 192.168.2.1 table 100 # Delete a rule ip rule del from 10.0.0.0/24 table 100
Default tables
Table
local (255) — local/broadcast. Table main (254) — normal routes. Table default (253) — fallback. Custom tables 1–252 are user-defined.
iptables
Firewall
The classic Linux packet filter. Controls what traffic is accepted, dropped, forwarded, or NAT'd. Use
ip6tables for IPv6.View Rules
bash
# List all rules with line numbers and packet counts iptables -L -v -n --line-numbers # Show a specific chain iptables -L INPUT -v -n --line-numbers # Show NAT table iptables -t nat -L -v -n # Show all tables iptables -t filter -L -n iptables -t nat -L -n iptables -t mangle -L -n iptables -t raw -L -n
Common Rules
bash
# Allow established/related connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow SSH from a specific subnet iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -j ACCEPT # Drop all other inbound traffic iptables -A INPUT -j DROP # Allow traffic on loopback iptables -A INPUT -i lo -j ACCEPT # Rate-limit new connections (e.g. SSH brute-force protection) iptables -A INPUT -p tcp --dport 22 -m state --state NEW \ -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW \ -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP # MASQUERADE (SNAT for dynamic IP — e.g. internet sharing) iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # DNAT — port-forward 8080 → internal host port 80 iptables -t nat -A PREROUTING -p tcp --dport 8080 \ -j DNAT --to-destination 192.168.1.10:80 # Delete rule by line number iptables -D INPUT 3 # Flush all rules in a chain iptables -F INPUT # Set default policy iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT
Tables & Chains
| Table | Chains | Use |
|---|---|---|
filter | INPUT, FORWARD, OUTPUT | Allow/drop packets |
nat | PREROUTING, OUTPUT, POSTROUTING | Address/port translation |
mangle | All 5 chains | Alter packet headers (TOS, TTL, mark) |
raw | PREROUTING, OUTPUT | Bypass conntrack with NOTRACK |
Persist Rules
bash
# Save / restore (Debian/Ubuntu) iptables-save > /etc/iptables/rules.v4 iptables-restore < /etc/iptables/rules.v4 # Save (RHEL/CentOS with iptables-services) service iptables save
iptables is being replaced by nftables
Most modern distros (Debian 10+, RHEL 8+, Ubuntu 20.04+) ship
nftables by default. iptables may be a shim backed by nft. Check with iptables --version.
nft
Firewall
The modern replacement for iptables/ip6tables/arptables. Unified IPv4/IPv6 syntax, better performance, atomic rule updates.
Common Commands
bash
# List all ruleset nft list ruleset # List a specific table nft list table inet filter # Add a table and basic chains nft add table inet filter nft add chain inet filter input \ { type filter hook input priority 0 \; policy drop \; } nft add chain inet filter output \ { type filter hook output priority 0 \; policy accept \; } # Allow established connections nft add rule inet filter input ct state established,related accept # Allow SSH nft add rule inet filter input tcp dport 22 accept # Allow loopback nft add rule inet filter input iifname lo accept # NAT masquerade nft add table ip nat nft add chain ip nat postrouting \ { type nat hook postrouting priority 100 \; } nft add rule ip nat postrouting oifname "eth0" masquerade # Load ruleset from file nft -f /etc/nftables.conf # Delete table nft delete table inet filter
Ruleset file
Store rules in
/etc/nftables.conf and enable nftables.service for persistence. Changes are applied atomically — no partial state during reloads.
ss
Sockets
Socket statistics — fast replacement for
netstat. Shows TCP, UDP, Unix sockets and their states.Common Commands
bash
# All TCP sockets with process info ss -tlnp # listening TCP ss -tnp # established TCP ss -tanp # all TCP # UDP ss -ulnp # listening UDP # Unix domain sockets ss -xlnp # Filter by port ss -tnp sport = :80 ss -tnp dport = :443 # Filter by state ss state ESTABLISHED ss state TIME-WAIT ss state FIN-WAIT-1 # Filter by destination address ss -tn dst 10.0.0.1 ss -tn dst 10.0.0.0/8 # Show socket memory usage ss -tnm # Show timer information ss -tno
Key Flags
| Flag | Meaning |
|---|---|
-t | TCP sockets |
-u | UDP sockets |
-x | Unix domain sockets |
-l | Listening only |
-a | All (listening + established) |
-n | No name resolution (faster) |
-p | Show process name/PID |
-e | Extended socket info (UID, inode) |
-s | Summary statistics |
netstat
Sockets
Legacy socket and routing info tool. Still widely available. Prefer
ss on modern systems.Common Commands
bash
# Listening TCP/UDP ports with process info netstat -tlnp netstat -ulnp # All TCP connections netstat -tanp # Routing table netstat -rn # Network interface statistics netstat -i # Continuous refresh every 2s netstat -c -tanp
netstat vs ss
netstat reads /proc/net/tcp line-by-line — slow on systems with thousands of sockets. ss uses the kernel netlink interface and is orders of magnitude faster.
tcpdump
Packet Analysis
Capture and inspect packets on a live interface. Saves to pcap files for analysis in Wireshark.
Common Commands
bash
# Capture on interface eth0 tcpdump -i eth0 # Capture on all interfaces tcpdump -i any # Don't resolve hostnames/ports (-n), show timestamps (-tttt) tcpdump -i eth0 -n -tttt # Capture only 100 packets tcpdump -i eth0 -c 100 # Save to pcap file tcpdump -i eth0 -w /tmp/capture.pcap # Read from pcap file tcpdump -r /tmp/capture.pcap # Rotate files: 10MB each, keep 5 tcpdump -i eth0 -w /tmp/cap.pcap -C 10 -W 5
BPF Filters
bash
# TCP port 443 tcpdump -i eth0 tcp port 443 # Traffic to/from a host tcpdump -i eth0 host 10.0.0.1 # Source host and destination port tcpdump -i eth0 src host 10.0.0.1 and dst port 80 # ICMP only tcpdump -i eth0 icmp # Exclude SSH (avoid capturing your own session) tcpdump -i eth0 not port 22 # HTTP GET requests (payload inspection) tcpdump -i eth0 -A -s0 'tcp port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)' # SYN packets only (new connections) tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0' # DNS queries tcpdump -i eth0 port 53
Useful Flags
| Flag | Meaning |
|---|---|
-n | No DNS/port resolution |
-v / -vv / -vvv | More verbose output |
-A | Print payload as ASCII |
-X | Print payload as hex + ASCII |
-s 0 | Capture full packet (default was 68 bytes on older versions) |
-e | Show Ethernet headers (MAC addresses) |
-q | Quiet — less protocol info |
Capturing on production
Large captures can consume CPU and disk quickly. Use tight BPF filters, limit packet count with
-c, and rotate output with -C/-W.
tshark
Packet Analysis
CLI front-end to Wireshark's dissectors. Better protocol decoding than tcpdump; can export JSON/CSV for scripting.
Common Commands
bash
# Capture on eth0, decode protocols tshark -i eth0 # Read pcap and decode HTTP tshark -r capture.pcap -Y http # Show only HTTP request URIs tshark -r capture.pcap -Y http.request -T fields \ -e ip.src -e http.request.method -e http.request.uri # DNS query names tshark -i eth0 -Y dns.qry.name -T fields -e dns.qry.name # Export as JSON tshark -r capture.pcap -T json > out.json # Follow TCP stream tshark -r capture.pcap -z follow,tcp,ascii,0
dig
DNS
DNS lookup utility. The go-to tool for querying DNS servers and debugging resolution issues.
Common Commands
bash
# A record lookup (default) dig example.com # Specific record types dig example.com MX dig example.com AAAA dig example.com TXT dig example.com NS dig example.com SOA dig example.com CNAME # Short output (just the answer) dig +short example.com dig +short example.com MX # Query a specific DNS server dig @8.8.8.8 example.com dig @1.1.1.1 example.com AAAA # Reverse lookup (PTR) dig -x 8.8.8.8 # Trace the full delegation chain dig +trace example.com # Show DNSSEC records dig +dnssec example.com # Disable recursion (query authoritative only) dig +norecurse @ns1.example.com example.com # Bulk lookup from file dig -f domains.txt +short
Reading the Output
| Section | Meaning |
|---|---|
;; QUESTION | What was asked |
;; ANSWER | Direct answer records |
;; AUTHORITY | Authoritative nameservers for the domain |
;; ADDITIONAL | IP addresses for nameservers in AUTHORITY |
Query time | RTT to the resolver — high values indicate slow resolver or network |
SERVER | Which resolver answered |
resolvectl
DNS
Control and query
systemd-resolved — the DNS resolver used on most modern systemd-based distros.Common Commands
bash
# Show resolver status and configured DNS servers resolvectl status # Lookup a name resolvectl query example.com # Reverse lookup resolvectl query 8.8.8.8 # Show per-interface DNS configuration resolvectl dns # Show DNS search domains resolvectl domain # Show resolver cache statistics resolvectl statistics # Flush the DNS cache resolvectl flush-caches # Override DNS for an interface temporarily resolvectl dns eth0 8.8.8.8 8.8.4.4
Check /etc/resolv.conf
On systemd-resolved systems,
/etc/resolv.conf should be a symlink to /run/systemd/resolve/stub-resolv.conf. If it isn't, DNS may bypass resolved entirely.
host / nslookup
DNS
Simpler DNS lookup tools.
host is terse; nslookup has an interactive mode. Both are useful for quick checks.Common Commands
bash
# host host example.com host example.com 8.8.8.8 # query specific server host -t MX example.com host 8.8.8.8 # reverse lookup # nslookup nslookup example.com nslookup -type=MX example.com nslookup example.com 1.1.1.1 # query specific server nslookup 8.8.8.8 # reverse lookup
ping
Connectivity
Send ICMP echo requests to test reachability and measure round-trip latency.
Common Commands
bash
# Basic ping ping 8.8.8.8 ping example.com # Send 5 packets then stop ping -c 5 example.com # Set packet interval (0.2s = flood-ish) ping -i 0.2 example.com # Set payload size (default 56 bytes) ping -s 1400 example.com # useful for MTU testing # Flood ping (requires root) ping -f example.com # Set TTL ping -t 5 example.com # IPv6 ping6 2001:4860:4860::8888 ping -6 example.com
ICMP may be filtered
A host not responding to ping doesn't mean it's down — firewalls often block ICMP. Use
nc or curl to test specific TCP ports instead.
traceroute / mtr
Connectivity
Trace the path packets take to a destination.
mtr combines traceroute and ping into a live, continuously-updating view.traceroute
bash
# Basic traceroute traceroute example.com # Use ICMP instead of UDP probes traceroute -I example.com # Use TCP probes on port 80 (bypasses UDP filters) traceroute -T -p 80 example.com # No reverse DNS lookups (faster) traceroute -n example.com # Set max TTL (hops) traceroute -m 20 example.com
mtr
bash
# Interactive live view mtr example.com # Non-interactive report mode (100 cycles) mtr --report --report-cycles 100 example.com # No DNS resolution mtr -n example.com # Use TCP probes on port 443 mtr --tcp --port 443 example.com
Reading mtr output
High
Loss% only at intermediate hops but not at the destination usually means the router deprioritises ICMP — not actual packet loss. Focus on the last hop.
nc
Connectivity
Netcat — the Swiss army knife of networking. Test TCP/UDP connectivity, transfer data, create simple servers.
Common Commands
bash
# Test if a TCP port is open nc -zv 10.0.0.1 80 nc -zv 10.0.0.1 8080-8090 # scan a port range # Test UDP port nc -zuv 10.0.0.1 53 # Connect and send data interactively nc 10.0.0.1 9000 # Simple HTTP request echo -e "GET / HTTP/1.0\r\nHost: example.com\r\n\r\n" | nc example.com 80 # Listen on a port (simple server) nc -lp 9000 # Transfer a file # Receiver: nc -lp 9000 > received.tar.gz # Sender: nc 10.0.0.2 9000 < file.tar.gz # With timeout (exit if no connection in 3s) nc -zv -w 3 10.0.0.1 443
ncat vs nc
Some distros ship OpenBSD
nc (flags differ slightly) and others ship GNU netcat. The Nmap project's ncat is the most feature-rich and consistent.
curl
HTTP
Transfer data with URLs. Essential for testing HTTP/HTTPS APIs, checking headers, and scripting HTTP interactions.
Common Commands
bash
# Basic GET curl https://example.com # Show response headers only curl -I https://example.com # Show headers + body curl -v https://example.com # POST JSON curl -X POST https://api.example.com/data \ -H 'Content-Type: application/json' \ -d '{"key":"value"}' # Follow redirects curl -L https://example.com # Save response to file curl -o output.html https://example.com # Download with original filename curl -O https://example.com/file.tar.gz # Set custom header curl -H 'Authorization: Bearer TOKEN' https://api.example.com # Test with specific DNS / IP (override DNS) curl --resolve 'example.com:443:93.184.216.34' https://example.com # Ignore TLS cert errors (testing only) curl -k https://self-signed.example.com # Set timeout curl --connect-timeout 5 --max-time 30 https://example.com # Show timing breakdown curl -o /dev/null -s -w \ "dns:%{time_namelookup} conn:%{time_connect} tls:%{time_appconnect} ttfb:%{time_starttransfer} total:%{time_total}\n" \ https://example.com
Timing breakdown
The
-w format string is invaluable for diagnosing whether latency is in DNS, TCP handshake, TLS, or server response time.
nmap
Scanning
Network scanner — discovers hosts, open ports, services, and OS versions. Use only on systems you own or have permission to scan.
Common Commands
bash
# Scan a single host (top 1000 ports) nmap 10.0.0.1 # Scan a subnet nmap 10.0.0.0/24 # Scan specific ports nmap -p 22,80,443 10.0.0.1 nmap -p 1-65535 10.0.0.1 # all ports # Service version detection nmap -sV 10.0.0.1 # OS detection (requires root) nmap -O 10.0.0.1 # Aggressive scan (OS + version + scripts + traceroute) nmap -A 10.0.0.1 # Ping scan — discover live hosts, no port scan nmap -sn 10.0.0.0/24 # TCP SYN scan (stealth, requires root) nmap -sS 10.0.0.1 # UDP scan nmap -sU -p 53,161,500 10.0.0.1 # Save output nmap -oN scan.txt 10.0.0.1 nmap -oX scan.xml 10.0.0.1
Authorization required
Scanning networks without permission is illegal in most jurisdictions. Only scan systems you own or have explicit written permission to test.
ethtool
Hardware
Query and control network driver and hardware settings — link speed, duplex, offloads, ring buffers, pause frames.
Common Commands
bash
# Show link speed, duplex, auto-negotiation ethtool eth0 # Show driver info ethtool -i eth0 # Show adapter statistics ethtool -S eth0 # Show offload settings (TSO, GSO, GRO, etc.) ethtool -k eth0 # Disable/enable an offload ethtool -K eth0 tso off ethtool -K eth0 gro on # Show ring buffer sizes ethtool -g eth0 # Set ring buffer sizes (reduce drops under load) ethtool -G eth0 rx 4096 tx 4096 # Show pause frame settings ethtool -a eth0 # Force link speed (avoid if possible — prefer auto-negotiation) ethtool -s eth0 speed 1000 duplex full autoneg off # Flash the NIC LED to identify the port ethtool -p eth0 10 # blink for 10 seconds
iw
Wireless
Manage wireless interfaces using the nl80211 kernel interface. Replaces the deprecated
iwconfig.Common Commands
bash
# Show all wireless devices iw dev # Show link status (signal, bitrate, BSSID) iw dev wlan0 link # Scan for access points iw dev wlan0 scan # Show station statistics (for AP mode) iw dev wlan0 station dump # Show supported capabilities iw phy phy0 info # Set TX power iw dev wlan0 set txpower fixed 2000 # in mBm (100 = 1 dBm) # Create a monitor interface iw dev wlan0 interface add mon0 type monitor ip link set mon0 up
NetworkManager integration
On most desktops, NetworkManager manages Wi-Fi. Use
nmcli for scripting instead of iw to avoid conflicts with NetworkManager's state machine.
ip netns
Namespaces
Manage network namespaces — isolated network stacks used by containers, VRFs, and test environments.
Common Commands
bash
# List namespaces ip netns list # Create / delete a namespace ip netns add testns ip netns del testns # Run a command in a namespace ip netns exec testns ip addr show ip netns exec testns bash # enter a shell # Connect two namespaces with a veth pair ip link add veth0 type veth peer name veth1 ip link set veth1 netns testns ip addr add 192.168.10.1/24 dev veth0 ip netns exec testns ip addr add 192.168.10.2/24 dev veth1 ip link set veth0 up ip netns exec testns ip link set veth1 up ip netns exec testns ip link set lo up # Test connectivity ping 192.168.10.2 ip netns exec testns ping 192.168.10.1
Containers and namespaces
Docker, Podman, and Kubernetes create network namespaces automatically. You can inspect a container's namespace via
nsenter -n -t <PID> -- ip addr.
Cheat Sheet
Reference
Interface Management
ip -br link show — list interfaces
ip addr show dev eth0 — addresses
ip link set eth0 up/down
ip link set eth0 mtu 9000
Routing
ip route show — routing table
ip route get 8.8.8.8 — route lookup
ip route add default via GW
ip route add CIDR via GW
Firewall (iptables)
iptables -L -v -n — list rules
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Sockets
ss -tlnp — listening TCP
ss -tanp state ESTABLISHED
ss -s — socket summary
ss -tnp dst 10.0.0.0/8
Packet Capture
tcpdump -i eth0 -n not port 22
tcpdump -i eth0 -w cap.pcap
tcpdump -i eth0 host 10.0.0.1
tcpdump -i eth0 tcp port 443
DNS
dig +short example.com
dig @8.8.8.8 example.com MX
dig +trace example.com
resolvectl flush-caches
Connectivity Testing
ping -c 5 8.8.8.8
mtr --report example.com
nc -zv host 443
curl -I https://example.com
Namespaces
ip netns list
ip netns exec NS ip addr
nsenter -n -t PID -- ip addr
ip link add veth0 type veth peer name veth1
Troubleshooting Patterns
Reference
Can't reach a host
bash
# 1. Is the interface up? ip -br link show # 2. Do we have a route? ip route get TARGET_IP # 3. Is the gateway reachable? ping GW_IP # 4. Check ARP for the gateway ip neigh show # 5. Test TCP connectivity (ICMP may be filtered) nc -zv TARGET_IP 443 # 6. Trace the path mtr --tcp --port 443 TARGET_IP # 7. Capture to see what's happening tcpdump -i eth0 -n host TARGET_IP
Port not reachable from outside
bash
# 1. Is the process actually listening? ss -tlnp | grep :PORT # 2. Is it listening on 0.0.0.0 or just 127.0.0.1? ss -tlnp | grep :PORT # 127.0.0.1 = only local # 3. Is a firewall blocking it? iptables -L INPUT -v -n | grep DROP nft list ruleset | grep drop # 4. Test from the host itself nc -zv 127.0.0.1 PORT # 5. Watch what arrives (before firewall) tcpdump -i eth0 tcp port PORT
DNS resolution failures
bash
# 1. Which resolver is being used? cat /etc/resolv.conf resolvectl status # 2. Query the resolver directly dig @127.0.0.53 example.com # systemd-resolved stub dig @8.8.8.8 example.com # 3. Trace the delegation dig +trace example.com # 4. Flush stale cache resolvectl flush-caches
High packet loss / latency
bash
# Continuous path quality test mtr --report-cycles 100 TARGET # Check interface errors / drops ip -s link show eth0 ethtool -S eth0 | grep -i drop # Check ring buffer drops ethtool -g eth0 ethtool -S eth0 | grep rx_missed # Check socket receive buffer drops ss -s netstat -s | grep overrun