Linux Server Administration Complete Guide Part 4: Network Configuration and Firewall

Mastering Network Settings and Security

Jan 21, 2026Linux

Linux Server Administration Complete Guide Series

Part 3: Packages and Services | Part 4: Network and Firewall (Current) | Part 5: SSH and Remote Management

Introduction: Network is the Server's Lifeline

Servers communicate with the outside world through networks. Proper network configuration and firewall setup are crucial for server operation and security. This part covers IP settings, DNS, routing, and various firewall tools.

1. Network Basics

1.1 Checking Network Interfaces

# IP address and interface information
ip addr
ip a

# Specific interface only
ip addr show eth0

# Legacy command (deprecated)
ifconfig

1.2 Network Connection Status

# Routing table
ip route
ip r

# Check default gateway
ip route | grep default

# Check DNS servers
cat /etc/resolv.conf

# Connection test
ping -c 4 8.8.8.8
ping -c 4 google.com

1.3 Checking Ports and Connections

# Check open ports
ss -tuln

# Check specific port
ss -tuln | grep :80

# Include connection status
ss -tuna

# With process information
sudo ss -tulnp

# netstat (legacy)
sudo netstat -tulnp

2. IP Address Configuration

2.1 Temporary IP Settings

# Add IP address
sudo ip addr add 192.168.1.100/24 dev eth0

# Remove IP address
sudo ip addr del 192.168.1.100/24 dev eth0

# Enable/disable interface
sudo ip link set eth0 up
sudo ip link set eth0 down

2.2 Permanent IP Settings (Ubuntu/Debian - Netplan)

# /etc/netplan/01-netcfg.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses:
        - 192.168.1.100/24
      gateway4: 192.168.1.1
      nameservers:
        addresses:
          - 8.8.8.8
          - 8.8.4.4

# Apply
sudo netplan apply

# Test (auto-rollback on failure)
sudo netplan try

2.3 Permanent IP Settings (RHEL/CentOS - nmcli)

# List connections
nmcli connection show

# Set static IP
sudo nmcli connection modify eth0 ipv4.addresses 192.168.1.100/24
sudo nmcli connection modify eth0 ipv4.gateway 192.168.1.1
sudo nmcli connection modify eth0 ipv4.dns "8.8.8.8 8.8.4.4"
sudo nmcli connection modify eth0 ipv4.method manual

# Apply
sudo nmcli connection up eth0

3. DNS Configuration

3.1 DNS Server Settings

# /etc/resolv.conf (temporary, may reset on reboot)
nameserver 8.8.8.8
nameserver 8.8.4.4

# When using systemd-resolved
sudo systemctl status systemd-resolved
resolvectl status

3.2 Hosts File

# /etc/hosts - Local DNS
127.0.0.1   localhost
192.168.1.10   webserver.local webserver
192.168.1.20   dbserver.local dbserver

3.3 DNS Lookup Testing

# nslookup
nslookup google.com
nslookup google.com 8.8.8.8

# dig (detailed info)
dig google.com
dig @8.8.8.8 google.com

# host
host google.com

4. Firewall Overview

4.1 Linux Firewall Stack

netfilter: Kernel-level packet filtering
iptables: Traditional netfilter frontend
nftables: iptables successor (modern distros)
firewalld: RHEL/CentOS dynamic firewall manager
UFW: Ubuntu's simple firewall (iptables frontend)

5. iptables

5.1 Basic Structure

# Tables → Chains → Rules
# Main tables: filter, nat, mangle
# filter chains: INPUT, OUTPUT, FORWARD

# View current rules
sudo iptables -L -n -v
sudo iptables -L -n --line-numbers

5.2 Basic Rules

# Set default policies
sudo iptables -P INPUT DROP      # Default deny
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# Allow localhost
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH (port 22)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP/HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow from specific IP only
sudo iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 3306 -j ACCEPT

5.3 Deleting and Saving Rules

# Delete specific rule (by number)
sudo iptables -D INPUT 3

# Flush all rules
sudo iptables -F

# Save rules
sudo iptables-save > /etc/iptables.rules

# Restore rules
sudo iptables-restore < /etc/iptables.rules

# Ubuntu/Debian persistent
sudo apt install iptables-persistent
sudo netfilter-persistent save

6. firewalld (RHEL/CentOS)

6.1 Basic Commands

# Check status
sudo firewall-cmd --state
sudo systemctl status firewalld

# Start/enable
sudo systemctl start firewalld
sudo systemctl enable firewalld

6.2 Zone-Based Management

# List available zones
sudo firewall-cmd --get-zones

# Check default zone
sudo firewall-cmd --get-default-zone

# Check active zones
sudo firewall-cmd --get-active-zones

# List rules for specific zone
sudo firewall-cmd --zone=public --list-all

6.3 Allowing Services and Ports

# Allow service (temporary)
sudo firewall-cmd --zone=public --add-service=http

# Allow service (permanent)
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent

# Allow port
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent

# Apply changes
sudo firewall-cmd --reload

# Remove service/port
sudo firewall-cmd --zone=public --remove-service=http --permanent

6.4 Rich Rules

# Allow specific IP
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="3306" accept'

# Block specific IP
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.5" reject'

# Logging
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" log prefix="SSH Access: " level="info" accept'

7. UFW (Ubuntu)

7.1 Basic Commands

# Check status
sudo ufw status
sudo ufw status verbose

# Enable/disable
sudo ufw enable
sudo ufw disable

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

7.2 Adding Rules

# Allow services
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

# Allow ports
sudo ufw allow 8080
sudo ufw allow 8080/tcp
sudo ufw allow 8080:8090/tcp

# Allow from specific IP
sudo ufw allow from 192.168.1.0/24
sudo ufw allow from 192.168.1.100 to any port 22

# Specific interface
sudo ufw allow in on eth0 to any port 80

7.3 Deleting Rules

# Delete by rule number
sudo ufw status numbered
sudo ufw delete 3

# Delete rule directly
sudo ufw delete allow 8080

# Reset all rules
sudo ufw reset

8. Practical Scenarios

8.1 Web Server Firewall (UFW)

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (for management)
sudo ufw allow ssh

# Allow web services
sudo ufw allow http
sudo ufw allow https

# Allow management from specific IP only
sudo ufw allow from 192.168.1.0/24 to any port 22

# Enable
sudo ufw enable

8.2 Database Server (firewalld)

# Allow MySQL port from internal network only
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" port protocol="tcp" port="3306" accept'

# SSH only from management server
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.5" service name="ssh" accept'

# Default deny
sudo firewall-cmd --set-default-zone=drop
sudo firewall-cmd --reload

8.3 NAT/Port Forwarding (iptables)

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Permanent setting in /etc/sysctl.conf
net.ipv4.ip_forward = 1

# Port forward: external 8080 → internal server 80
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80
sudo iptables -t nat -A POSTROUTING -j MASQUERADE

9. Network Troubleshooting

9.1 Diagnosing Connection Issues

# Step-by-step diagnosis
# 1. Check interface
ip addr

# 2. Check gateway connectivity
ping -c 4 192.168.1.1

# 3. External IP connectivity
ping -c 4 8.8.8.8

# 4. DNS check
ping -c 4 google.com

# 5. Trace route
traceroute google.com
mtr google.com

9.2 Port Connection Testing

# Test port connectivity
nc -zv 192.168.1.100 22
telnet 192.168.1.100 80

# Port scan (your own server only)
nmap -p 1-1000 localhost

9.3 Packet Capture

# Basic tcpdump
sudo tcpdump -i eth0

# Specific port only
sudo tcpdump -i eth0 port 80

# Specific host
sudo tcpdump -i eth0 host 192.168.1.100

# Save to file
sudo tcpdump -i eth0 -w capture.pcap

Conclusion

Network configuration and firewall setup determine your server's connectivity and security. The basic principle is to allow only what's necessary and block everything else.

In Part 5, we'll cover SSH and Remote Server Management.

Series Navigation

← Part 3: Packages and Services | Part 4 (Current) | Part 5: SSH and Remote Management →

Back to List