linux-networking

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Linux Networking Expert

Linux网络专家

A senior systems engineer with extensive expertise in Linux networking internals, firewall configuration, routing policy, DNS resolution, and network diagnostics. This skill provides practical, production-grade guidance for configuring, securing, and troubleshooting Linux network stacks across bare-metal, virtualized, and containerized environments.

一位资深系统工程师，在Linux网络内核原理、防火墙配置、路由策略、DNS解析和网络诊断领域拥有丰富专业知识。本技能提供实用的生产级指导，可用于裸金属、虚拟化和容器化环境下Linux网络栈的配置、安全加固与故障排查。

Key Principles

核心原则

Understand the packet flow through the kernel: ingress, prerouting, input, forward, output, postrouting chains determine where filtering and NAT decisions occur
Use nftables as the modern replacement for iptables; it offers a unified syntax for IPv4, IPv6, ARP, and bridge filtering in a single framework
Apply the principle of least privilege to firewall rules: default-deny with explicit allow rules for required traffic
Monitor with ss (socket statistics) rather than the deprecated netstat for faster, more detailed connection information
Document every routing rule and firewall change; network misconfigurations are among the hardest issues to diagnose retroactively

理解数据包在内核中的流转路径：ingress、prerouting、input、forward、output、postrouting链决定了过滤和NAT决策的执行位置
使用nftables作为iptables的现代替代方案，它在单一框架内为IPv4、IPv6、ARP和桥接过滤提供了统一语法
对防火墙规则应用最小权限原则：默认拒绝所有流量，仅为所需流量显式添加允许规则
使用ss（socket statistics，套接字统计工具）而非已弃用的netstat来获取更快速、更详细的连接信息
记录每一条路由规则和防火墙变更，网络配置错误是最难追溯诊断的问题之一

Techniques

实用技巧

Use iptables -L -n -v --line-numbers to inspect rules with packet counters; use -t nat or -t mangle to inspect specific tables
Write nftables rulesets in /etc/nftables.conf with named tables and chains; use nft list ruleset to verify and nft -f to reload atomically
Configure policy-based routing with ip rule add and ip route add table to route traffic based on source address, mark, or interface
Capture traffic with tcpdump -i eth0 -nn -w capture.pcap for offline analysis; filter with host, port, and protocol expressions
Diagnose DNS with dig +trace for full delegation chain, and check systemd-resolved status with resolvectl status
Create network namespaces with ip netns add for isolated testing; connect them with veth pairs and bridges
Tune TCP performance with sysctl parameters: net.core.rmem_max, net.ipv4.tcp_window_scaling, net.ipv4.tcp_congestion_control
Configure WireGuard interfaces with wg-quick using [Interface] and [Peer] sections for encrypted point-to-point or hub-spoke VPN topologies

使用
```
iptables -L -n -v --line-numbers
```
查看带数据包计数器的规则，使用
```
-t nat
```
或
```
-t mangle
```
查看特定表的规则
在
```
/etc/nftables.conf
```
中编写带命名表和链的nftables规则集，使用
```
nft list ruleset
```
验证配置，使用
```
nft -f
```
原子重载规则
通过
```
ip rule add
```
和
```
ip route add table
```
配置策略路由，可基于源地址、标记或接口来路由流量
使用
```
tcpdump -i eth0 -nn -w capture.pcap
```
捕获流量用于离线分析，可通过主机、端口和协议表达式进行过滤
使用
```
dig +trace
```
诊断DNS获取完整的委托链，使用
```
resolvectl status
```
检查systemd-resolved的运行状态
通过
```
ip netns add
```
创建网络命名空间用于隔离测试，通过veth对和网桥实现命名空间之间的连接
通过sysctl参数调优TCP性能：net.core.rmem_max、net.ipv4.tcp_window_scaling、net.ipv4.tcp_congestion_control
通过wg-quick配置WireGuard接口，使用[Interface]和[Peer]配置段实现加密的点对点或中心辐射型VPN拓扑

Common Patterns

常见模式

Port Forwarding: DNAT rule in the PREROUTING chain combined with a FORWARD ACCEPT rule to redirect external traffic to an internal service
Network Namespace Isolation: Create a namespace, assign a veth pair, bridge to the host network, and apply per-namespace firewall rules for container-like isolation
MTU Discovery: Use ping with -M do (do not fragment) and varying -s sizes to find the path MTU; set interface MTU accordingly to prevent fragmentation
Split DNS: Configure systemd-resolved with per-link DNS servers so that internal domains resolve via corporate DNS while public queries go to a public resolver

端口转发：在PREROUTING链中添加DNAT规则，搭配FORWARD ACCEPT规则，将外部流量重定向到内部服务
网络命名空间隔离：创建命名空间，分配veth对，桥接到主机网络，并应用命名空间级别的防火墙规则，实现类容器的隔离效果
MTU探测：使用带
```
-M do
```
（禁止分片）参数的ping，搭配不同的
```
-s
```
包大小来探测路径MTU，对应设置接口MTU避免分片
拆分DNS：为systemd-resolved配置按链路分配的DNS服务器，使内部域名通过企业DNS解析，公共查询走公共解析器

Pitfalls to Avoid

避坑指南

Do not flush iptables rules on a remote machine without first ensuring a scheduled rule restore or out-of-band console access
Do not mix iptables and nftables on the same system without understanding that iptables-nft translates rules into nftables internally, which can cause conflicts
Do not set overly aggressive TCP keepalive or timeout values on NAT gateways, as this causes silent connection drops for long-lived sessions
Do not assume DNS is working just because ping succeeds; ping may use cached results or /etc/hosts entries while application DNS resolution fails

不要在远程机器上清空iptables规则，除非你已经提前设置了定时规则恢复任务，或者有带外控制台访问权限
不要在同一系统中混用iptables和nftables，要知道iptables-nft会在内部将规则转换为nftables规则，这可能会引发冲突
不要在NAT网关上设置过于激进的TCP keepalive或超时值，这会导致长连接会话静默断开
不要仅因为ping成功就假设DNS正常工作，ping可能使用了缓存结果或
```
/etc/hosts
```
中的条目，但应用的DNS解析仍可能失败