Operations 26 min read
Master Linux Network Management: Real-World Practices from Leading Tech Companies
This comprehensive guide covers Linux network architecture design, VLAN planning, interface configuration for CentOS and Ubuntu, bonding, performance monitoring, tuning, firewall and intrusion detection, high‑availability setups with HAProxy and Keepalived, container and Kubernetes networking, and automation with Ansible and Prometheus, providing practical best‑practice recommendations for enterprise operations.
MaGe Linux Operations
MaGe Linux Operations
Master Linux Network Management: Real-World Practices from Leading Tech Companies
In large internet enterprises, Linux network management is a core skill for operations engineers. Handling massive servers, complex topologies, and high‑traffic requires mastering everything from basic configuration to advanced optimization.
Network Architecture and Planning
Typical three‑layer architecture:
┌─────────────────────────────────────────────────────────┐
│ Core Layer (Core Layer) │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ Core-1 │──────────│ Core-2 │ │
│ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────┘
│
┌─────────────────────────────────────────────────────────┐
│ Aggregation Layer (Aggregation Layer) │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ Agg-1 │──────────│ Agg-2 │ │
│ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────┘
│
┌─────────────────────────────────────────────────────────┐
│ Access Layer (Access Layer) │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ TOR-1 │ │ TOR-2 │ │ TOR-3 │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────┘VLAN segmentation strategy:
# Management network
VLAN 100: 192.168.100.0/24
# Server management interface
VLAN 101: 192.168.101.0/24
# Network device management
VLAN 200: 10.10.200.0/24 # Web front‑end services
VLAN 201: 10.10.201.0/24 # Application layer
VLAN 202: 10.10.202.0/24 # Database layer
VLAN 300: 10.10.300.0/24 # Distributed storage
VLAN 301: 10.10.301.0/24 # Backup networkNetwork Interface Configuration and Management
CentOS/RHEL interface configuration:
# /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eth0
UUID=12345678-1234-1234-1234-123456789abc
DEVICE=eth0
ONBOOT=yes
IPADDR=10.10.200.100
NETMASK=255.255.255.0
GATEWAY=10.10.200.1
DNS1=8.8.8.8
DNS2=8.8.4.4Ubuntu/Debian Netplan configuration:
# /etc/netplan/00-installer-config.yaml
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses: [10.10.200.100/24]
gateway4: 10.10.200.1
nameservers:
addresses: [8.8.8.8, 8.8.4.4]
eth1:
addresses: [10.10.201.100/24]Network bonding configuration:
# /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond0
TYPE=Bond
BONDING_MASTER=yes
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.10.200.100
NETMASK=255.255.255.0
GATEWAY=10.10.200.1
BONDING_OPTS="mode=802.3ad miimon=100 lacp_rate=fast"
# /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
# /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yesNetwork Performance Monitoring and Tuning
Real‑time monitoring script (bash):
#!/bin/bash
INTERFACE="eth0"
INTERVAL=5
echo "Interface: $INTERFACE"
echo "Interval: $INTERVAL seconds"
echo "Timestamp Rx(MB/s) Tx(MB/s) Drop(%)"
echo "=================================================="
while true; do
RX1=$(cat /sys/class/net/$INTERFACE/statistics/rx_bytes)
TX1=$(cat /sys/class/net/$INTERFACE/statistics/tx_bytes)
RX_DROPPED1=$(cat /sys/class/net/$INTERFACE/statistics/rx_dropped)
TX_DROPPED1=$(cat /sys/class/net/$INTERFACE/statistics/tx_dropped)
RX_PACKETS1=$(cat /sys/class/net/$INTERFACE/statistics/rx_packets)
TX_PACKETS1=$(cat /sys/class/net/$INTERFACE/statistics/tx_packets)
sleep $INTERVAL
RX2=$(cat /sys/class/net/$INTERFACE/statistics/rx_bytes)
TX2=$(cat /sys/class/net/$INTERFACE/statistics/tx_bytes)
RX_DROPPED2=$(cat /sys/class/net/$INTERFACE/statistics/rx_dropped)
TX_DROPPED2=$(cat /sys/class/net/$INTERFACE/statistics/tx_dropped)
RX_PACKETS2=$(cat /sys/class/net/$INTERFACE/statistics/rx_packets)
TX_PACKETS2=$(cat /sys/class/net/$INTERFACE/statistics/tx_packets)
RX_RATE=$(echo "scale=2; ($RX2-$RX1)/1024/1024/$INTERVAL" | bc)
TX_RATE=$(echo "scale=2; ($TX2-$TX1)/1024/1024/$INTERVAL" | bc)
TOTAL_PACKETS=$((RX_PACKETS2-RX_PACKETS1+TX_PACKETS2-TX_PACKETS1))
DROPPED_PACKETS=$((RX_DROPPED2-RX_DROPPED1+TX_DROPPED2-TX_DROPPED1))
if [ $TOTAL_PACKETS -gt 0 ]; then
DROP_RATE=$(echo "scale=2; $DROPPED_PACKETS*100/$TOTAL_PACKETS" | bc)
else
DROP_RATE=0
fi
printf "%-15s %10s %10s %10s
" "$(date '+%H:%M:%S')" "$RX_RATE" "$TX_RATE" "$DROP_RATE"
doneAdvanced monitoring tools: iftop, nethogs, ss, nload, tcpdump.
TCP parameter optimization (sysctl):
# /etc/sysctl.conf
net.core.rmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_default = 262144
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.core.netdev_max_backlog = 5000
net.core.netdev_budget = 600Network interface queue optimization (bash):
#!/bin/bash
INTERFACE="eth0"
CPU_CORES=$(nproc)
# Enable multi‑queue
ethtool -L $INTERFACE combined $CPU_CORES
# Set IRQ affinity
for ((i=0; i<CPU_CORES; i++)); do
IRQ=$(grep "$INTERFACE-TxRx-$i" /proc/interrupts | awk '{print $1}' | tr -d ':')
if [ -n "$IRQ" ]; then
echo $((1<<i)) > /proc/irq/$IRQ/smp_affinity
fi
done
# Optimize NIC parameters
ethtool -G $INTERFACE rx 4096 tx 4096
ethtool -C $INTERFACE adaptive-rx on adaptive-tx onNetwork Security and Protection
Enterprise iptables firewall rules (bash):
#!/bin/bash
# Flush existing rules
iptables -F
iptables -X
iptables -Z
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH access control (specific IP ranges)
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
# Web services
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Database access control
iptables -A INPUT -p tcp --dport 3306 -s 10.10.201.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5432 -s 10.10.201.0/24 -j ACCEPT
# SYN flood protection
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
# Port scan protection
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
# ICMP rate limiting
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Save rules
iptables-save > /etc/iptables/rules.v4Log‑based intrusion detection script (bash):
#!/bin/bash
LOG_FILE="/var/log/secure"
THRESHOLD=10
# Detect SSH brute‑force attempts
failed=$(grep "Failed password" $LOG_FILE | grep "$(date '+%b %d')" | awk '{print $11}' | sort | uniq -c | awk -v t=$THRESHOLD '$1>t {print $2,$1}')
if [ -n "$failed" ]; then
echo "SSH brute‑force detected:"
echo "$failed"
echo "$failed" | while read ip count; do
iptables -A INPUT -s $ip -j DROP
echo "Blocked IP $ip (failed attempts: $count)"
done
fi
# Detect port scans
scan=$(netstat -an | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | awk -v t=50 '$1>t {print $2,$1}')
if [ -n "$scan" ]; then
echo "Port scan detected:"
echo "$scan"
fiHigh‑Availability Network Architecture
HAProxy configuration example:
# /etc/haproxy/haproxy.cfg
global
daemon
maxconn 4096
user haproxy
group haproxy
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
option httplog
option dontlognull
option redispatch
retries 3
frontend web_frontend
bind *:80
bind *:443 ssl crt /etc/ssl/certs/server.pem
redirect scheme https if !{ ssl_fc }
default_backend web_servers
backend web_servers
balance roundrobin
option httpchk GET /health
server web1 10.10.200.10:80 check
server web2 10.10.200.11:80 check
server web3 10.10.200.12:80 check
listen stats
bind *:8080
stats enable
stats uri /stats
stats refresh 30sKeepalived high‑availability configuration:
# /etc/keepalived/keepalived.conf
vrrp_script chk_haproxy {
script "/bin/curl -f http://localhost:80/health || exit 1"
interval 2
weight -2
fall 3
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass mypassword
}
virtual_ipaddress {
10.10.200.100/24
}
track_script {
chk_haproxy
}
}Network Fault Diagnosis and Troubleshooting
Connectivity diagnostics (bash):
#!/bin/bash
TARGET_HOST=$1
TARGET_PORT=$2
if [ -z "$TARGET_HOST" ]; then
echo "Usage: $0 <target_host> [port]"
exit 1
fi
echo "=== Network Diagnosis Report ==="
echo "Target host: $TARGET_HOST"
echo "Target port: ${TARGET_PORT:-N/A}"
echo "Time: $(date)"
# 1. Ping test
if ping -c 4 $TARGET_HOST > /tmp/ping_result 2>&1; then
echo " ✓ Ping successful"
grep "rtt" /tmp/ping_result
else
echo " ✗ Ping failed"
cat /tmp/ping_result
fi
# 2. Traceroute
echo "2. Traceroute:"
traceroute $TARGET_HOST | head -10
# 3. DNS lookup
if nslookup $TARGET_HOST > /tmp/dns_result 2>&1; then
echo " ✓ DNS resolution successful"
grep "Address" /tmp/dns_result | tail -1
else
echo " ✗ DNS resolution failed"
fi
# 4. Port connectivity
if [ -n "$TARGET_PORT" ]; then
echo "4. Port connectivity:"
if nc -zv $TARGET_HOST $TARGET_PORT 2>&1 | grep -q "succeeded"; then
echo " ✓ Port $TARGET_PORT open"
else
echo " ✗ Port $TARGET_PORT unreachable"
fi
fi
# 5. Local interface status
echo "5. Local network interfaces:"
ip addr show | grep -E "inet|state"
# 6. Routing table
echo "6. Routing table:"
ip route show
# 7. Firewall status
echo "7. Firewall status:"
iptables -L -n | head -20Container Network Management
Docker network configuration script (bash):
#!/bin/bash
# Create custom bridge network
docker network create --driver bridge \
--subnet=172.20.0.0/16 \
--ip-range=172.20.240.0/20 \
--gateway=172.20.0.1 \
custom_network
# Create macvlan network
docker network create -d macvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=eth0 \
macvlan_network
# Container network monitoring
monitor_container_network() {
echo "Container network usage:"
docker stats --no-stream --format "table {{.Container}} {{.NetIO}}"
echo -e "
Container network details:"
docker network ls
echo -e "
Interface statistics:"
for container in $(docker ps -q); do
name=$(docker inspect --format='{{.Name}}' $container | sed 's/^\///')
echo "Container: $name"
docker exec $container cat /proc/net/dev | grep -v "lo:" | tail -n +3
echo
done
}
monitor_container_networkKubernetes network troubleshooting (bash):
#!/bin/bash
# Check pod connectivity
check_pod_connectivity() {
pod_name=$1
namespace=${2:-default}
echo "Checking pod: $pod_name (namespace: $namespace)"
pod_ip=$(kubectl get pod $pod_name -n $namespace -o jsonpath='{.status.podIP}')
echo "Pod IP: $pod_ip"
kubectl exec $pod_name -n $namespace -- ip addr show
kubectl exec $pod_name -n $namespace -- ip route show
kubectl exec $pod_name -n $namespace -- nslookup kubernetes.default.svc.cluster.local
}
# Check service network
check_service_network() {
service_name=$1
namespace=${2:-default}
echo "Checking service: $service_name"
kubectl get svc $service_name -n $namespace -o wide
kubectl get endpoints $service_name -n $namespace
iptables -t nat -L | grep $service_name
}
# List network policies
check_network_policies() {
echo "Current network policies:"
kubectl get networkpolicies --all-namespaces
echo -e "
Network policy details:"
kubectl get networkpolicies --all-namespaces -o yaml
}
# Example usage (uncomment to run)
# check_pod_connectivity my-pod default
# check_service_network my-service default
# check_network_policiesAutomation and Monitoring
Ansible network automation playbook (YAML excerpt):
---
- name: Network configuration automation
hosts: servers
become: yes
vars:
network_interfaces:
- name: eth0
ip: "{{ ansible_default_ipv4.address }}"
netmask: "255.255.255.0"
gateway: "{{ ansible_default_ipv4.gateway }}"
- name: eth1
ip: "10.10.201.{{ ansible_host.split('.')[3] }}"
netmask: "255.255.255.0"
tasks:
- name: Configure network interfaces
template:
src: ifcfg-interface.j2
dest: "/etc/sysconfig/network-scripts/ifcfg-{{ item.name }}"
loop: "{{ network_interfaces }}"
notify: restart network
- name: Configure firewall rules
iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item }}"
jump: ACCEPT
loop:
- 22
- 80
- 443
- name: Optimize network parameters
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: present
reload: yes
loop:
- { name: "net.ipv4.tcp_fin_timeout", value: "30" }
- { name: "net.ipv4.tcp_keepalive_time", value: "1200" }
- { name: "net.core.rmem_max", value: "16777216" }
- { name: "net.core.wmem_max", value: "16777216" }
- name: Install network monitoring tools
package:
name: "{{ item }}"
state: present
loop:
- iftop
- nethogs
- tcpdump
- nmap
handlers:
- name: restart network
service:
name: network
state: restartedPrometheus network monitoring configuration (YAML excerpt):
global:
scrape_interval: 15s
evaluation_interval: 15s
rule_files:
- "network_rules.yml"
scrape_configs:
- job_name: 'node-exporter'
static_configs:
- targets: ['localhost:9100']
scrape_interval: 5s
metrics_path: /metrics
- job_name: 'snmp-network'
static_configs:
- targets:
- 192.168.1.1 # Router
- 192.168.1.2 # Switch
metrics_path: /snmp
params:
module: [if_mib]
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: 127.0.0.1:9116Network alert rules (Prometheus alerting rules):
groups:
- name: network_alerts
rules:
- alert: HighNetworkTraffic
expr: rate(node_network_receive_bytes_total[5m]) > 100000000
for: 2m
labels:
severity: warning
annotations:
summary: "High network traffic alert"
description: "{{ $labels.instance }} network receive traffic exceeds 100MB/s"
- alert: NetworkInterfaceDown
expr: node_network_up == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Network interface down"
description: "{{ $labels.instance }} interface {{ $labels.device }} is down"
- alert: HighPacketLoss
expr: rate(node_network_receive_drop_total[5m]) > 1000
for: 2m
labels:
severity: warning
annotations:
summary: "Network packet loss alert"
description: "{{ $labels.instance }} packet loss rate too high"Conclusion
Linux network management is an essential skill for operations engineers in large‑scale enterprises. By applying the architectures, configurations, monitoring techniques, security hardening, high‑availability designs, and automation practices presented here, teams can build stable, efficient, and secure network infrastructures that reliably support business growth.
In practice, engineers should continuously adapt these methods to specific business scenarios, stay updated with emerging networking technologies, and refine performance and security measures to meet evolving demands.
Original Source
Signed-in readers can open the original source through BestHub's protected redirect.
Republication Notice
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Written by
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
0 followers
Reader feedback
How this landed with the community
Rate this article
Was this worth your time?
Discussion
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.