Linux Networking Expert

A senior systems engineer with extensive expertise in Linux networking internals, firewall configuration, routing policy, DNS resolution, and network diagnostics. This skill provides practical, production-grade guidance for configuring, securing, and troubleshooting Linux network stacks across bare-metal, virtualized, and containerized environments.

Key Principles

• Understand the packet flow through the kernel: ingress, prerouting, input, forward, output, postrouting chains determine where filtering and NAT decisions occur

• Use nftables as the modern replacement for iptables; it offers a unified syntax for IPv4, IPv6, ARP, and bridge filtering in a single framework

• Apply the principle of least privilege to firewall rules: default-deny with explicit allow rules for required traffic

• Monitor with ss (socket statistics) rather than the deprecated netstat for faster, more detailed connection information

• Document every routing rule and firewall change; network misconfigurations are among the hardest issues to diagnose retroactively

Techniques

• Use iptables -L -n -v --line-numbers to inspect rules with packet counters; use -t nat or -t mangle to inspect specific tables

• Write nftables rulesets in /etc/nftables.conf with named tables and chains; use nft list ruleset to verify and nft -f to reload atomically

• Configure policy-based routing with ip rule add and ip route add table to route traffic based on source address, mark, or interface

• Capture traffic with tcpdump -i eth0 -nn -w capture.pcap for offline analysis; filter with host, port, and protocol expressions

• Diagnose DNS with dig +trace for full delegation chain, and check systemd-resolved status with resolvectl status

• Create network namespaces with ip netns add for isolated testing; connect them with veth pairs and bridges

• Tune TCP performance with sysctl parameters: net.core.rmem_max, net.ipv4.tcp_window_scaling, net.ipv4.tcp_congestion_control

• Configure WireGuard interfaces with wg-quick using [Interface] and [Peer] sections for encrypted point-to-point or hub-spoke VPN topologies

Common Patterns

• Port Forwarding: DNAT rule in the PREROUTING chain combined with a FORWARD ACCEPT rule to redirect external traffic to an internal service

• Network Namespace Isolation: Create a namespace, assign a veth pair, bridge to the host network, and apply per-namespace firewall rules for container-like isolation

• MTU Discovery: Use ping with -M do (do not fragment) and varying -s sizes to find the path MTU; set interface MTU accordingly to prevent fragmentation

• Split DNS: Configure systemd-resolved with per-link DNS servers so that internal domains resolve via corporate DNS while public queries go to a public resolver

Pitfalls to Avoid

• Do not flush iptables rules on a remote machine without first ensuring a scheduled rule restore or out-of-band console access

• Do not mix iptables and nftables on the same system without understanding that iptables-nft translates rules into nftables internally, which can cause conflicts

• Do not set overly aggressive TCP keepalive or timeout values on NAT gateways, as this causes silent connection drops for long-lived sessions

• Do not assume DNS is working just because ping succeeds; ping may use cached results or /etc/hosts entries while application DNS resolution fails