Networking is often overlooked topic by both developers and DevOps engineers. Yet it's at least to a certain extent integral part of every system and application. Being therefore able to perform basic troubleshooting and use common tools is very valuable skill and might come in handy next time you run into issues with DNS or routing, or when you just need to send HTTP request to some web application. So, let's go over following list of basic networking tools that every developer should know and explore examples that might even become your cheat sheet for all things networking.
The Everyday Basics
Sending a HTTP request is one of the things that everyone of us does every day. And doing so with cURL can be as simple as curl google.com
, but curl
command has lots of options that can make it a lot more useful. More often than not, sending plain request is not good enough and you will need to specify type of request or include some extra headers. You can do that with -X
and -H
arguments, respectively. Another common thing to do would be sending some data in request, which can be done with -d
:
~ $ curl -X POST \ # POST Request
-H "accept: application/json" \ # Set headers
-H "Authorization: Bearer ..." \ # Can be used multiple times
-d '{"text" : "Hello, World!"}' \ # Data in JSON format
https://example.com/some/path
curl
can be also helpful for debugging. You can turn on verbose output using -vvv
or use -k
to switch to insecure mode when you are dealing with website certificates.
~ $ curl -X GET -k \
-vvv \
-H 'Content-type: application/json' \
-d '{"text" : "Hello, World!"}' \
https://example.com/some/path
When using verbose mode, there's going to be lots of data coming in and sometimes it makes sense to rather use -I
to return only headers instead of whole responses.
Downloading files is another super common task that can be easily done from terminal using wget
. Same as with curl
, wget
has a lot of options, but some of the more common and very useful ones include - -O
to change filename, -q
(quiet) to suppress noisy output, -b
to run in background or -c
to resume previous download. Simple example:
~ $ wget -q https://example.com/1.0.5/file-linux-amd64 -O new-filename
Things don't always work as expected and some services might become unavailable. So, to check if a host is reachable, one can use ping <some-IP>
or ping6 <some-IP>
if using IPv6. In case you need to check not just whether a host is reachable but also whether specific port is open, then you can use telnet <host> <port>
.
ping
is a lot simpler command than the ones above, but it still has some useful arguments, e.g. -c <number>
to specify number pings to make or -l <size>
to specify size of payload to send.
Looking up your IP address is probably not something you need to do every day, but you need it, then hostname
command is there for you. Especially with -I
argument which displays all IPs of your machine. hostname
command can also be used to set your machines hostname, but not persistently, so preferably use hostnamectl
for that instead.
DNS is a Mess
General rule of thumb is that when something is not quite right with networking, then it's most likely because of DNS. Basic inspection and debugging of DNS can be done with either nslookup
, host
or dig
. Out of these 3, I would recommend using dig
even though its output is little hard to read, because nslookup
is deprecated at this point and host
doesn't provide as much data as dig
.
~ $ dig github.com
; <<>> DiG 9.16.1-Ubuntu <<>> github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31813
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;github.com. IN A
;; ANSWER SECTION:
github.com. 59 IN A 140.82.121.3 # IP of website
;; Query time: 15 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) # Nameserver Address
;; WHEN: So okt 10 17:15:03 CEST 2020
;; MSG SIZE rcvd: 55
~ $ dig -t NS github.com
...
;; ANSWER SECTION:
github.com. 233 IN NS dns1.p08.nsone.net. # List of nameservers
... # More records
github.com. 233 IN NS dns3.p08.nsone.net.
...
~ $ dig -t NS github.com +short # Query nameservers with short output
dns2.p08.nsone.net.
...
ns-1707.awsdns-21.co.uk.
~ $ dig -x 140.82.121.3 # DNS Reverse lookup
...
;; QUESTION SECTION:
;3.121.82.140.in-addr.arpa. IN PTR
;; ANSWER SECTION:
3.121.82.140.in-addr.arpa. 1570 IN PTR lb-140-82-121-3-fra.github.com.
The example above shows some of the basic queries one can perform with dig
. Using this command might seem a little intimidating as its syntax is frankly plain stupid. So, let's go over each query and its output to make little more sense of it - first query - dig github.com
does a basic DNS query for github.com
. Its output shows 4 sections - header, question, answer and stats. We only really care about question and answer. The former describes what we asked, which in this case is DNS information about A Record for github.com
. The later shows answer in form of IP address of website.
Second query above uses -t NS
to do search for nameservers, which are displayed in the answer section. If you want just the answer without all the clutter around it, you can add +short
as shown with the third query.
The last query above performs reverse DNS search. This is done by using -x
argument while passing in IP address instead of hostname. If the information from these queries isn't enough for your debugging, then you can use +trace
which will show whole delegation path.
If the dig
command is not your cup of tea and you need to perform only simple queries or for example check DNS connectivity, you can also use previously mentioned host
command:
~ $ host github.com
github.com has address 140.82.121.3
github.com mail is handled by 5 alt2.aspmx.l.google.com.
~ $ host 140.82.121.3
3.121.82.140.in-addr.arpa domain name pointer lb-140-82-121-3-fra.github.com.
In previous section I mentioned that you should not use hostname
to set hostname as it will not persist across reboot. There are options for changing hostname persistently - one is to use hostnamectl set-hostname
or you can also directly modify /etc/hostname
, which is what hostnamectl
does anyway.
~ $ hostnamectl set-hostname some-host.domain.com
~ $ hostnamectl status
Static hostname: some-host.domain.com
Icon name: computer-vm
Chassis: vm
Machine ID: gd99711b6414efb8bb8791f9f2d4d71a
Boot ID: 8add50a8560541cb89d1ca2aede6961b
Virtualization: kvm
Operating System: Ubuntu 19.04
Kernel: Linux 5.0.0-15-generic
Architecture: x86-64
There are also other files related to DNS that you might want to check out when troubleshooting. First file that is checked when doing DNS search is /etc/hosts
. If the entry is not found there, DNS search is performed using /etc/resolv.conf
, which contains list IPs of nameservers for resolution. You can test hostname resolution manually using getent hosts example.com
~ $ cat /etc/resolv.conf
search some.example.com
nameserver 10.0.2.3 # IP of nameserver to query
nameserver 8.8.8.8
Problems with Connection?
If you're confident that the DNS is not culprit of your problem, then it's time to check connection related issues. One can do that using ip
command. When looking for any issues with connection, we should start from hardware and work our way up the stack, therefore let's first run ip link show
:
~ $ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:ee:9a:00:33:f5 brd ff:ff:ff:ff:ff:ff
~ $ ip -s link show ens3
3: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
link/ether 52:ee:9a:00:33:f5 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
14624090276 14595993 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2059715701 6107955 0 0 0 0
This command displays all network interfaces available on your system. The important field in the output is state
, which should show UP
. When you find the interface being currently used, then you can also run ip -s link show <name>
to see stats. The important fields in the output of said command are RX
for received data and TX
for transmitted.
Next, we can take a look at our IP addresses using ip addr show
. This will show us both IPv4 and IPv6 addresses (if running in dual-stack mode) as well as hardware (MAC) address of the device (link/ether
line):
~ $ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:ee:9a:00:33:f5 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.189/24 brd 192.168.1.255 scope global noprefixroute dynamic ens3
valid_lft 72719sec preferred_lft 72719sec
inet6 fe80::b3ec:c89:50bf:9cdd/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Last but not least from the ip
family of commands is ip route
. This gives us IPv4 routing table and can be useful for finding IP of your router, which is the default gateway (first line in output):
~ $ ip route
default via 192.168.1.1 dev ens3 proto dhcp metric 600 # All other packets are sent through default gateway located at 192.168.1.1
192.168.1.0/24 dev ens3 proto kernel scope link src 192.168.1.189 metric 600 # All packets destined for 192.168.1.0/24 are sent directly through ens3 device
In case you need to dig deeper into routing issues or maybe if you are looking for specific router that's causing trouble, you can also use tracepath
. tracepath
shows path of your request, where each line is one hop (one router).
~ $ tracepath -b twitter.com
1?: [LOCALHOST] pmtu 1500
1: router.asus.com (192.168.1.1) 2.957ms
1: router.asus.com (192.168.1.1) 5.767ms
2: 192.168.100.1 (192.168.100.1) 1.469ms
...
8: ??? (104.244.42.129) 21.838ms reached
Resume: pmtu 1500 hops 8 back 12
Apart from all the issues that you might encounter, there are some fairly basic connection configuration tasks which you might need to perform from time to time. There really are 2 tools that you can choose from - nmcli
and nmtui
. The former being classic CLI tool with all the possible options and the later being curses-based terminal GUI. I strongly recommend using nmtui
as it's very easy to use, simple to navigate and fool-proof tool that will help you to avoid errors when configuring connections.
However, If you insist on using nmcli
, please make sure to check out man nmcli-examples
, which shows some common usage examples. I will just leave here one simple example for nmcli
, to maybe deter you from touching it:
# Adding an ethernet connection profile with manual IP configuration
~ $ nmcli con add con-name my-con ifname ens3 type ethernet ip4 192.168.100.100/24 gw4 192.168.100.1 ip4 1.2.3.4 ip6 abbe::cafe
Regardless of whether you will use nmcli
or nmtui
, all the configs will be stored in /etc/sysconfig/network-scripts
(on RHEL/CentOS, anyway). These configs can also be edited directly without any tool, but I do not recommend this as CLI options and file variables have often very different names, so it's hard to see what is what.
One word of caution for dealing with connections. I recommend to either modify these configs using physical console (not over SSH), because in case you mess up, you will not lose access to the machine. If that's not possible, you can alternatively setup deferred job (using at
) that will revert your changes after hour or so (don't forget to cancel it if your config works).
Securing Your Server with Firewall
One way to improve security of your server is to make sure only necessary ports are open. To set that up, one might need to deal with iptables
and netfilter
, which can be a daunting task. You are therefore better off using some kind of frontend for these tools. If you are on Ubuntu you can go with ufw
which stands for uncomplicated firewall:
~ $ ufw allow ssh/tcp # http (80), https (443)
~ $ ufw logging on # Turn on logging
~ $ ufw enable # Enable firewall
~ $ ufw allow from 15.15.15.0/24 to any port 22 # Allow SSH connections from specific IP or Subnet
~ $ ufw allow from 15.15.15.0/24 to any port 5432 # Allow PostgreSQL connections from specific IP or Subnet
I think the examples above don't really need much of an explanation as it really is uncomplicated. If you are not using Ubuntu though, but for example RHEL/CentOS, you will be probably by default running firewalld
with its firewall-cmd
. This tool is not so simple, but still pretty easy to use:
~ $ cat /usr/lib/firewalld/services/postgresql.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>PostgreSQL</short>
<description>PostgreSQL Database Server</description>
<port protocol="tcp" port="5432"/>
</service>
~ $ firewall-cmd --permanent --zone=internal --add-service=postgresql # Add PostgreSQL service instead of specific port
~ $ firewall-cmd --reload # Apply changes to runtime
firewalld
provides set of files in /usr/lib/firewalld/services
which describe predefined services. These files make it easier to allow/block various common services like DBs, SSH, HTTP, LDAP, etc. In the example above you can see contents of PostgreSQL service file which defines protocol and port used by PostgreSQL. Thanks to that file we can the above command to allow connection to PostgreSQL database (--add-service=postgresql
).
~ $ cat /usr/lib/firewalld/zones/block.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="%%REJECT%%">
<short>Block</short>
<description>Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
</zone>
~ $ firewall-cmd --add-source=172.217.23.238/32 --zone=block --permanent # Block traffic from specific IP address
~ $ firewall-cmd --reload
There is also a second set of files in /usr/lib/firewalld/zones/block.xml
which describes zones like Public, DMZ, Block or Work. All traffic is diverted into zones based on criteria like source IP or source port. This classification simplifies management of firewall. In the example above you can see that we can simply block specific IP by diverting all its traffic to block
zone.
You probably noticed that in both examples we first used command with --permanent
and then --reload
, that's because firewalld
doesn't automatically apply changes to both runtime and persistent configs, therefore it's important to run both of these command to avoid troubleshooting issues that don't exist.
Scanning All Kinds of Stuff
Last but not least - it's pretty common networking task to run device scans in network to - for example - find connected machines in local network or to run port scan to see which ports are open or which application is listening and where.
For the former you can use nmap
which can scan hosts, ports or whole subnets. This tool has a lot of options and really warrants article on its own, but to give you quick overview of the most common arguments and options:
~ $ nmap -sP ... # Ping Scan - Scan network and find out which devices are up and running
~ $ nmap -sL ... # List targets in network
~ $ nmap -O ... # OS detection
~ $ nmap -p 22,21,80,8080 -sV ... # Detect version of service running on port
~ $ nmap -A ... # OS detection, version detection, script scanning, and traceroute
~ $ nmap -p 22,21,80,8080 172.217.17.110 # IP of goggle.com; Also `-p "*"` works for scanning all ports
Nmap scan report for ams15s29-in-f14.1e100.net (172.217.17.110)
Host is up (0.0072s latency).
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
80/tcp open http
8080/tcp filtered http-proxy
Nmap done: 1 IP address (1 host up) scanned in 1.46 seconds
These examples cover basic usage of nmap
and I personally rarely need anything except for the arguments and options shown above. One extra argument you might want to use though, is -F
(fast scan) argument, which can be useful to speed up scans, as it will omit most of the ports to be scanned, leaving only the most common ones.
Other tool worth mentioning in this section is ss
which is replacement for old netstat
. It's used to investigate sockets (combination of IP, protocol and port). It's very handy when you need to find where some service listens. I generally use -plat
arguments which shows all (a
) listening (l
) TCP (t
) sockets and their respective processes (p
):
~ $ ss -plat
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
ESTAB 0 0 192.168.43.1:40790 192.168.43.151:ssh users:(("ssh",pid=886049,fd=3))
LISTEN 0 32 *:ftp *:*
LISTEN 0 128 [::]:ssh [::]:*
LISTEN 0 128 *:https *:*
LISTEN 0 128 *:http *:*
Conclusion
Our jobs - regardless of whether you're developer, DevOps engineer or SRE - often have wide range of duties, so it's important to strive to have at least basic understanding of fundamentals of networking (among other things). It might seem like there's no immediate benefit to learning things like networking, so lot of people tend to ignore it. Learning these fundamentals is in my opinion very much worth the time though, especially in the long run. It should also go beyond just being able to run the above mentioned commands (even though that helps a lot), but rather understanding the concepts and internal workings of things like TCP/IP, DNS, DHCP, TLS, etc.
Top comments (2)
nmap! thanks for reminding me about this utility. I actually had it installed and was looking for that one cli tool that displayed all the open ports, but couldn't remember the name.
thanks for the article, some real good tools in here. I've only heard good things about
curl
and I'll probably go check outss
now.Now, that's what I call a useful article!