Linux Networking¶
103 cards — 🟢 27 easy | 🟡 44 medium | 🔴 17 hard
🟢 Easy (27)¶
1. You typing CTRL + C but your script still running. How do you stop it?
Show answer
In most cases, you can stop a running script by using the `CTRL + C` keyboard combination. This sends an interrupt signal (SIGINT) to the script, which terminates its execution. If this does not work and the script is still running, you can try using the `CTRL + \` combination, which sends a quit signal (SIGQUIT) to the script, which may terminate it immediately.Remember: ping = ICMP Echo. No reply ≠ host down — firewalls block ICMP.
2. What is NTP? What is it used for?
Show answer
NTP (Network Time Protocol) synchronizes system clocks over network.Purpose:
- Accurate timekeeping
- Synchronized time across servers
- Critical for: logs, certificates, distributed systems, auth
Components:
- ntpd or chronyd - NTP daemons
- NTP servers - Time sources (stratum levels)
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
3. What is stored in ~/.ssh/known_hosts?
Show answer
The file stores the key fingerprints for the clients connecting to the SSH server. This fingerprint creates a trust between the client and the server for future SSH connections.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
4. What is the loopback (lo) interface?
Show answer
The loopback interface is a special, virtual network interface that your computer uses to communicate with itself. It is used mainly for diagnostics and troubleshooting, and to connect to servers running on the local machine.Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
5. What is SSH port forwarding?
Show answer
SSH tunneling routes traffic through encrypted SSH connection.Types:
1. Local (-L): ssh -L 8080:db:5432 bastion
- localhost:8080 reaches db:5432
2. Remote (-R): ssh -R 8080:localhost:3000 server
- server:8080 reaches your localhost:3000
3. Dynamic (-D): ssh -D 1080 bastion
- Creates SOCKS proxy
Use: Access internal services, bypass firewalls, encrypt protocols.
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
6. What is telnet and why is it a bad idea to use it in production? (or at all)
Show answer
Telnet is a type of client-server protocol that can be used to open a command line on a remote computer, typically a server.By default, all the data sent and received via telnet is transmitted in clear/plain text, therefore it should not be used as it does not encrypt any data between the client and the server.
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
7. When you run 'ip a' you see there is a device called 'lo'. What is it?
Show answer
'lo' is the loopback interface - a virtual network interface.Purpose:
- Internal communication within the host
- Testing network applications locally
- Inter-process communication via network stack
Characteristics:
- IP address: 127.0.0.1 (IPv4), ::1 (IPv6)
- Always up, always present
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
8. iptables vs nftables?
Show answer
nftables is the modern replacement: unified framework, cleaner syntax, atomic rule updates, same netfilter hooks underneath.Remember: Chains: INPUT, OUTPUT, FORWARD. Tables: filter, nat, mangle, raw.
Example: `iptables -A INPUT -p tcp --dport 22 -j ACCEPT` — allow SSH.
9. What is a bridge? How is it added in Linux OS?
Show answer
A network bridge connects multiple network segments at Layer 2.Function:
- Works like a virtual switch
- Forwards frames based on MAC addresses
- Connects VMs, containers to physical network
Create bridge:
- ip link add br0 type bridge
- ip link set br0 up
Remember: Linux bridge = L2 switch. Docker uses `docker0` bridge for containers.
10. What is SSH? How to check if a Linux server is running SSH?
Show answer
[Wikipedia Definition](https://en.wikipedia.org/wiki/SSH_(Secure_Shell)): "SSH or Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network."[Hostinger.com Definition](https://www.hostinger.
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
11. What is NFS? What is it used for?
Show answer
NFS (Network File System) enables sharing files over network.Use cases:
- Shared home directories
- Centralized storage
- Application data sharing
- Diskless workstations
Components:
- Server: Exports directories
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
12. What is the routing table? How do you view it?
Show answer
Routing table determines where network packets are sent.Contents:
- Destination networks
- Gateway (next hop)
- Interface to use
- Metric (priority)
View commands:
- ip route (or ip r) - Modern
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
13. What is the file /etc/resolv.conf used for? What does it contain?
Show answer
/etc/resolv.conf configures DNS resolution.Contents:
- nameserver: DNS server IPs (up to 3)
- search: Default domain search list
- domain: Local domain name
- options: Resolver options
Example:
nameserver 8.8.8.8
nameserver 8.8.4.4
search example.com internal.example.com
options timeout:2 attempts:3
Modern management:
- systemd-resolved: /etc/resolv.conf is symlink
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
14. How do you see what process is listening on a port?
Show answer
`ss -tlnp` (preferred, kernel netlink) or `lsof -i :PORT`.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
15. What are the main reasons for keeping old log files?
Show answer
They are essential to investigate issues on the system. **Log management** is absolutely critical for IT security.Servers, firewalls, and other IT equipment keep log files that record important events and transactions. This information can provide important clues about hostile activity affecting your network from within and without.
Remember: ping = ICMP Echo. No reply ≠ host down — firewalls block ICMP.
16. What are the following commands used for: ip addr, ip route, ip link?
Show answer
These are iproute2 commands for network configuration:ip addr (ip a):
- Shows/configures IP addresses
- ip addr show - List all addresses
- ip addr add 192.168.1.10/24 dev eth0 - Add IP
- ip addr del 192.168.1.10/24 dev eth0 - Remove IP
ip route (ip r):
- Shows/configures routing table
Remember: ip replaces ifconfig. addr(IPs), route(routing), link(interfaces), neigh(ARP).
Example: `ip addr add 10.0.0.5/24 dev eth0`. `ip route add default via 10.0.0.1`.
17. What is nftables and how does it replace iptables?
Show answer
nftables is the modern Linux firewall framework, replacing iptables.Features:
- Single tool for IPv4, IPv6, ARP
- Better syntax than iptables
- Better performance
- Atomic rule updates
Concepts:
- Tables: Contain chains
Remember: Chains: INPUT, OUTPUT, FORWARD. Tables: filter, nat, mangle, raw.
Example: `iptables -A INPUT -p tcp --dport 22 -j ACCEPT` — allow SSH.
18. What is a network namespace? What is it used for?
Show answer
Network namespace provides isolated network stack instances.Each namespace has own:
- Network interfaces
- IP addresses
- Routing tables
- Firewall rules
- Ports (can reuse same port numbers)
Use cases:
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
19. What symbolic representation can you pass to chmod to give all users execute access to a file without affecting other permissions?
Show answer
```bash\nchmod a+x /path/to/file\n```- `a` - for all users
- `x` - for execution permission
- `r` - for read permission
- `w` - for write permission
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
20. What is the difference between SSH and SSL?
Show answer
Both provide encryption but for different purposes:SSH (Secure Shell):
- Remote access and command execution
- Port 22, auth via keys/passwords
- Use: Server admin, SCP/SFTP, tunneling
SSL/TLS:
- Encrypt any TCP connection
- Port 443 (HTTPS), auth via X.509 certs
- Use: HTTPS, email, VPNs
Key difference: SSH is complete remote access protocol; TLS is encryption layer for other protocols.
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
21. What question does ss -ltnp answer?
Show answer
Which TCP ports are currently listening, and which processes own them. -l = listening, -t = TCP, -n = numeric, -p = show process.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
22. What is a socket in Linux?
Show answer
An endpoint for interprocess or network communication. Sockets can be Unix domain (local) or network (TCP/UDP). Each has a type, address, and state.Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
23. What is defense in depth and give three examples of layers.
Show answer
Defense in depth is a security strategy using multiple layers of controls so that if one fails, others still protect the system. Examples: 1) Network layer: firewalls, network segmentation, WAF; 2) Host layer: OS hardening, patching, antivirus, host-based IDS; 3) Application layer: input validation, authentication, authorization, encryption; 4) Data layer: encryption at rest, access controls, backups.Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
24. What is vulnerability scanning and name three common tools.
Show answer
Vulnerability scanning is the automated process of probing systems and applications for known security weaknesses. It checks against databases like CVE and NVD. Common tools: 1) Nessus: commercial network/host scanner; 2) Trivy: open-source container and filesystem scanner; 3) OWASP ZAP: open-source web application scanner. Scanning should be integrated into CI/CD for continuous security feedback.Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
25. You run dig codingshell.com and get the following result:
Show answer
This is the TTL. When you lookup for an address using a domain/host name, your OS is performing DNS resolution by contacting DNS name servers to get the IP address of the host/domain you are looking for.When you get a reply, this reply in cached in your OS for a certain period of time. This is period of time is also known as TTL and this is the meaning of 3515 number - it will be cached for 3515 seconds before removed from the cache and during that period of time, you'll get the value from the cache instead of asking DNS name servers for the address again.
26. What is CUPS and how does it handle printing in Linux?
Show answer
CUPS (Common Unix Printing System) manages printing on Linux/Unix.Features:
- Print queue management
- Driver support (PPD files)
- Network printing (IPP protocol)
- Web interface (localhost:631)
Components:
- cupsd: Main daemon
- /etc/cups/: Configuration
- /var/spool/cups/: Print queues
Commands:
- lpstat -p: List printers
- lp -d printer file: Print file
- lpq: Show queue
- lprm job_id: Cancel job
Web admin: http://localhost:631
- Add printers
- Manage queues
- View logs
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
27. Tell me about your Linux experience.
Show answer
I've managed large-scale Linux environments for over 15 years — from RHEL 4–9, CentOS, Ubuntu, and CoreOS. Most of my work has been operational: patching, performance tuning, troubleshooting services, storage, networking, and writing automation around daily tasks. I'm very strong with systemd, networking services, SELinux, and debugging production issues under pressure.Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
🟡 Medium (44)¶
1. What are you using for troubleshooting and debugging network issues?
Show answer
`dstat -t` is great for identifying network and disk issues.`netstat -tnlaup` can be used to see which processes are running on which ports.
`lsof -i -P` can be used for the same purpose as netstat.
`ngrep -d any metafilter` for matching regex against payloads of packets.
`tcpdump` for capturing packets
`wireshark` same concept as tcpdump but with GUI (optional).
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
2. What can you find in /etc/services?
Show answer
/etc/services maps service names to port numbers.Format:
service-name port/protocol [aliases]
Examples:
ssh 22/tcp
http 80/tcp www
https 443/tcp
dns 53/udp
Purpose:
- Human-readable service names
- Used by netstat, ss, lsof for display
- getservbyname() library function
Not a firewall:
- Doesn't control access
- Just name-to-port mapping
- Informational only
Standard file across Unix systems (IANA assignments).
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
3. You must run command that will be performed for a very long time. How to prevent killing this process after the ssh session drops?
Show answer
Use `nohup` to make your process ignore the hangup signal:```bash\nnohup long-running-process &\nexit\n```
or you want to be using **GNU Screen**:
```bash\nscreen -d -m long-running-process\nexit\n```
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
4. What happens when you press ctrl + c?
Show answer
When you press "Ctrl+C," it sends the SIGINT signal to the foreground process, asking it to terminate gracefully.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
5. What does the traceroute command do? How does it work?
Show answer
Another common way to ask this question is "what part of the tcp header does traceroute modify?"Remember: traceroute = each hop (TTL). mtr = traceroute+continuous ping. Better diagnosis.
6. How do you check per-process CPU, memory, and I/O usage on Linux?
Show answer
`pidstat` from the sysstat package. Use `pidstat -u 1` for per-process CPU every second, `pidstat -r 1` for memory, `pidstat -d 1` for disk I/O. Combine flags: `pidstat -urd 1` for all three. Add `-pRemember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
7. What are you using for troubleshooting and debugging process issues?
Show answer
`strace` is great for understanding what your program does. It prints every system call your program executed.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
8. What is network interface bonding and do you know how to configure it?
Show answer
Bonding combines multiple NICs into one logical interface.Modes:
- mode=0 (balance-rr): Round-robin load balancing
- mode=1 (active-backup): Failover only
- mode=2 (balance-xor): XOR-based load balancing
- mode=4 (802.3ad): LACP, requires switch support
- mode=5 (balance-tlb): Adaptive transmit load balancing
Remember: Modes: 0=rr, 1=active-backup, 4=802.3ad(LACP). Mode 1 and 4 most common.
9. Every couple of days, a certain process stops running. How can you look into why it's happening?
Show answer
One way to investigate why a process stops running is to check the system logs, such as the messages in /var/log/messages or journalctl. Additionally, checking the process's resource usage and system load may provide clues as to what caused the process to stopRemember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
10. How do you check TCP connection statistics on Linux?
Show answer
`sar -n TCP,ETCP 1` from the sysstat package. TCP shows active/passive connections per second and segments in/out. ETCP shows retransmits, bad segments, and resets — useful for spotting packet loss or network congestion. The `1` samples every second. Install via `apt install sysstat` or `yum install sysstat`.Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
11. How can you find how much memory a specific process consumes?
Show answer
`mem()
{
ps -eo rss,pid,euser,args:100 --sort %mem | grep -v grep | grep -i $@ | awk '{printf $1/1024 "MB"; $1=""; print }'
}
`
[Source](https://stackoverflow.com/questions/3853655/in-linux-how-to-tell-how-much-memory-processes-are-using)
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
12. What is network bonding? What types are you familiar with?
Show answer
Bonding combines multiple NICs into one logical interface for redundancy and/or performance.Common modes:
- Mode 0 (balance-rr): Round-robin, load balancing
- Mode 1 (active-backup): Only one active, failover
- Mode 2 (balance-xor): XOR hash load balancing
- Mode 4 (802.3ad): LACP, requires switch support
- Mode 5 (balance-tlb): Adaptive transmit load balancing
Remember: Modes: 0=rr, 1=active-backup, 4=802.3ad(LACP). Mode 1 and 4 most common.
13. How do you kill a process in D state?
Show answer
A process in D state (also known as "uninterruptible sleep") cannot be killed using the "kill" command. The only way to terminate it is to reboot the system.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
14. How a user process performs a privileged operation, such as reading from the disk?
Show answer
Using system callsRemember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
15. How can we modify the network connection via nmcli command, to use 8.8.8.8 as a DNS server?
Show answer
1. Find the connection name:```\n # nmcli con show\n NAME UUID TYPE DEVICE\n System ens5 8126c120-a964-e959-ff98-ac4973344505 ethernet ens5\n System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 ethernet --\n ```
Here the connection name is "System ens5". Let's say we want to modify settings for this connection.
Remember: DNS port 53. Records: A(IPv4), AAAA(IPv6), CNAME, MX, NS, TXT.
Example: `dig example.com A +short` or `nslookup example.com`.
16. You run ssh 127.0.0.1 but it fails with "connection refused". What could be the problem?
Show answer
1. SSH server is not installed2. SSH server is not running
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
17. Why SSH is considered better than telnet?
Show answer
Telnet also allows you to connect to a remote host but as opposed to SSH where the communication is encrypted, in telnet, the data is sent in clear text, so it isn't considered to be secure because anyone on the network can see what exactly is sent, including passwords.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
18. True or False? In every PID (Process ID) namespace the first process assigned with the process id number 1
Show answer
True. Inside the namespace it's PID 1 while to the parent namespace the PID is a different one.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
19. How would you recognize a process that is hogging resources?
Show answer
`top` works reasonably well, as long as you look at the right numbers.- **M** Sorts by current resident memory usage
- **T** Sorts by total ( or cummulative) CPU usage
- **P** Sorts by current CPU usage (this is the default refresh)
- **?** Displays a usage summary for all top commands
This is very important information to obtain when problem solving why a computer process is running slowly and making decisions on what processes to kill/software to uninstall.
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
20. You need to upgrade ntpd service at 200 servers. What is the best way to go about upgrading all of these to the latest?
Show answer
By using **Infrastructure as a Code** approach, there are multiple good ways:1. **Configuration Synchronization Change Management Model**:
There are Configuration Management Tools (Ansible, Chef, Puppet, Saltstack, ...), that can be used to automatically update `ntpd` service on all servers.
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
21. How to trigger neighbor discovery in IPv6?
Show answer
`ping6 ff02::1` sends a multicast ping to all link-local nodes, triggering IPv6 Neighbor Discovery (NDP). This populates the neighbor cache, similar to ARP in IPv4. View discovered neighbors with `ip -6 neigh show`.Gotcha: you must specify the interface for link-local addresses: `ping6 ff02::1%eth0`.
22. What is a virtual IP? In what situation would you use one?
Show answer
A Virtual IP (VIP) is an IP address not tied to a specific physical interface.Use cases:
1. High availability
- Failover between servers
- Keepalived, Pacemaker manage VIP
- Clients connect to VIP, failover is transparent
2. Load balancing
- Single entry point
- LB distributes to multiple backends
3. Service migration
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
23. What signal is used by default when you run 'kill process id'?
Show answer
The default signal is SIGTERM (15). This signal kills
process gracefully which means it allows it to save current
state configuration.
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
24. How to run a process in the background and why to do that in the first place?
Show answer
You can achieve that by specifying & at the end of the command.As to why, since some commands/processes can take a lot of time to finish
execution or run forever, you may want to run them in the background instead of waiting for them to finish before gaining control again in current session.
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
25. How the kernel notifies the parent process about child process termination?
Show answer
The kernel notifies the parent by sending the SIGCHLD to the parent.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
26. You have a process writing to a file. You don't know which process exactly, you just know the path of the file. You would like to kill the process as it's no longer needed. How would you achieve it?
Show answer
1. Run `lsof2. Use the pid (process ID) from the lsof command and run `kill
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
27. True or False? The MAC address of an interface is assigned/set by the OS
Show answer
False. The MAC address is burned into the network interface hardware (NIC) by the manufacturer. The OS can override it (MAC spoofing), but the default address comes from hardware.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
28. You try to ssh to a server and you get "Host key verification failed". What does it mean?
Show answer
It means that the key of the remote host was changed and doesn't match the one that stored on the machine (in ~/.ssh/known_hosts).Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
29. Explain the difference between iptables and nftables, and when you'd migrate.
Show answer
nftables is the modern replacement for iptables, designed to address its limitations.Key differences:
- nftables: single CLI (nft), replaces iptables/ip6tables/arptables/ebtables
- nftables: VM-based bytecode execution (more efficient)
- nftables: atomic rule updates (no race conditions during reload)
- nftables: native sets and maps (efficient IP/port lookups)
- nftables: cleaner syntax,
Remember: Chains: INPUT, OUTPUT, FORWARD. Tables: filter, nat, mangle, raw.
Example: `iptables -A INPUT -p tcp --dport 22 -j ACCEPT` — allow SSH.
30. What ssh-keygen is used for?
Show answer
`ssh-keygen` is a tool to generate an authentication key pair for SSH, that consists of a private and a public key. It supports a number of algorithms to generate authentication keys :- dsa
- ecdsa
- ecdsa-sk
- ed25519
- ed25519-sk
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
31. Explain in a few points the boot process of the Linux system.
Show answer
**BIOS**: Full form of BIOS is Basic Input or Output System that performs integrity checks and it will search and load and then it will execute the bootloader.**Bootloader**: Since the earlier phases are not specific to the operating system, the BIOS-based boot process for x86 and x86-64 architectures is considered to start when the master boot record (MBR) code is executed in real mode and th
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
32. How to list active connections?
Show answer
Several commands show network connections:1. ss (modern, preferred):
- ss -tuln - Listening TCP/UDP ports
- ss -tunap - All connections with processes
- ss -s - Statistics summary
2. netstat (legacy):
- netstat -tuln - Listening ports
- netstat -tunap - All with processes
3. lsof:
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
33. What are the possible states of a process in Linux?
Show answer
Running (R)
Uninterruptible Sleep (D) - The process is waiting for I/O
Interruptible Sleep (S)
Stopped (T)
Dead (x)
Zombie (z)
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
34. How to check if a certain port is being used?
Show answer
One of the following would work:```\nnetstat -tnlp | grep
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
35. How to list all the interfaces?
Show answer
`ip link show` lists all network interfaces with their state (UP/DOWN), MTU, MAC address, and type. Alternatives: `ip addr show` includes IP addresses, `ip -br link` gives a brief one-line-per-interface view. Legacy command `ifconfig` also works but is deprecated. Use `ip link set eth0 up/down` to enable or disable an interface.36. What commands are you using for performing DNS queries (or troubleshoot DNS related issues)?
Show answer
You can specify one or more of the following:* `dig`
* `host`
* `nslookup`
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
37. Can you explain how network process/connection is established and how it's terminated?
Show answer
When a client process on one system wants to establish a connection with a server process on another system, it first creates a socket using the socket system call. The client then calls the connect system call, passing the address of the server as an argument.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
38. True or False? In user space, applications don't have full access to hardware resources
Show answer
True. Only in kernel space they have full access to hardware resources.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
39. True or False? The wait() system call won't return until the child process has run and exited
Show answer
True in most cases though there are cases where wait() returns before the child exits.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
40. How do you find out what command a running process was started with?
Show answer
Read /proc/Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
41. How do you find which process is listening on a specific port using lsof?
Show answer
lsof -i :Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
42. What are the core principles of zero trust security?
Show answer
Zero trust assumes no implicit trust based on network location. Principles: 1) Verify explicitly (authenticate and authorize every request); 2) Use least privilege access; 3) Assume breach (segment access, use end-to-end encryption, monitor continuously). Implementation involves: identity-based access, micro-segmentation, continuous validation, and device health checks. "Never trust, always verify."Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
43. What the following commands do?
Show answer
* chmod - changes access permissions to files system objects* chown - changes the owner of file system files and directories
* chgrp - changes the group associated with a file system object
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
44. How to check which commands you executed in the past?
Show answer
history command or .bash_history file* also can use up arrow key to access or to show the recent commands you type
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
🔴 Hard (17)¶
1. Server shows high interrupt CPU usage (irq% in top). How do you troubleshoot?
Show answer
High interrupt CPU indicates hardware generating excessive interrupts, often network-related.Diagnostic steps:
1. Identify the IRQ source: `cat /proc/interrupts` - look for rapidly increasing counters
2. Per-CPU breakdown: `mpstat -P ALL 1` - see which CPUs handle interrupts
3. Check for interrupt storms on specific device (e.g.
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
2. True or False? By default, when creating two separate network namespaces, a ping from one namespace to another will work fine
Show answer
False. Network namespace has its own interfaces and routing table. There is no way (without creating a bridge for example) for one network namespace to reach another.Remember: ping = ICMP Echo. No reply ≠ host down — firewalls block ICMP.
3. You would like to enable IPv4 forwarding in the kernel, how would you do it?
Show answer
`sudo sysctl net.ipv4.ip_forward=1`To make it persistent (applied after reboot for example): insert `net.ipv4.ip_forward = 1` into `/etc/sysctl.conf`
Another way to is to run `echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward`
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
4. What network bonding modes are there?
Show answer
There a couple of modes:* balance-rr: round robing bonding
* active-backup: a fault tolerance mode where only one is active
* balance-tlb: Adaptive transmit load balancing
* balance-alb: Adaptive load balancing
Remember: Modes: 0=rr, 1=active-backup, 4=802.3ad(LACP). Mode 1 and 4 most common.
5. Difference between SNAT, DNAT, and masquerade?
Show answer
They are NAT modes that rewrite source or destination addresses to enable routing across networks.- SNAT: rewrites the source IP to a fixed public address, commonly for outbound traffic.
- Masquerade: a dynamic SNAT that uses the interface IP, ideal when the public IP can change.
- DNAT: rewrites the destination IP/port, commonly for inbound port forwarding to internal hosts.
- In netfilter, SNAT/masquerade happens in POSTROUTING; DNAT happens in PREROUTING.
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
6. What is the advantage of synchronizing UID/GID across multiple systems?
Show answer
There are several principle reasons why you want to co-ordinate the **user/UID** and **group/GID** management across your network.The first is relatively obvious - it has to do with user and administrative convenience.
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
7. What happens when socket system call is used?
Show answer
This is a good article about the topic: https://ops.tips/blog/how-linux-creates-socketsRemember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
8. Can you have more than one default gateway in a given system?
Show answer
Technically yes, a system can have multiple default gateways with different metrics (priorities). The kernel uses the route with the lowest metric. View with `ip route show default`.Gotcha: multiple default gateways without proper metrics cause unpredictable routing — use policy-based routing (`ip rule`) for multi-homed hosts that need controlled path selection.
9. How to link two separate network namespaces so you can ping an interface on one ns from the other?
Show answer
Use veth (virtual ethernet) pairs - they act like a cable connecting namespaces.Steps:
1. Create namespaces:
ip netns add ns1
ip netns add ns2
2. Create veth pair:
ip link add veth1 type veth peer name veth2
3. Move each end to a namespace:
ip link set veth1 netns ns1
ip link set veth2 netns ns2
4. Configure IPs:
ip netns exec ns1 ip addr add 10.0.0.
Remember: ping = ICMP Echo. No reply ≠ host down — firewalls block ICMP.
10. How can you turn your Linux server into a router?
Show answer
Enable IP forwarding and configure routing:1. Enable IP forwarding:
- echo 1 > /proc/sys/net/ipv4/ip_forward (temporary)
- Edit /etc/sysctl.conf: net.ipv4.ip_forward = 1 (permanent)
- sysctl -p to apply
2. Configure interfaces:
- Each network on different interface
- Assign appropriate IP addresses
3. NAT (if needed for internet access):
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
11. Is it safe to attach the strace to a running process on the production? What are the consequences?
Show answer
`strace` is the system call tracer for Linux. It currently uses the arcane `ptrace()` (process trace) debugging interface, which operates in a violent manner: **pausing the target process** for each syscall so that the debugger can read state. And doing this twice: when the syscall begins, and when it ends.Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
12. Swap usage too high. What are the reasons for this and how to resolve swapping problems?
Show answer
**Swap** space is a restricted amount of physical memory that is allocated for use by the operating system when available memory has been fully utilized. It is memory management that involves swapping sections of memory to and from physical storage.Remember: ping = ICMP Echo. No reply ≠ host down — firewalls block ICMP.
13. How to enforce authorization methods in SSH? In what situations it would be useful?
Show answer
Force login with a password:```bash\nssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@remote_host\n```
Force login using the key:
```bash\nssh -o PreferredAuthentications=publickey -o PubkeyAuthentication=yes -i id_rsa user@remote_host\n```
Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
14. How to kills a process that is locking a file?
Show answer
```bash\nfuser -k filename\n```Remember: ss replaces netstat. `ss -tulnp` = TCP+UDP listening, numeric, process.
Example: `ss -tulnp | grep :80` — find what listens on port 80.
15. What are packet sniffers? Have you used one in the past? If yes, which packet sniffers have you used and for what purpose?
Show answer
It is a network utility that analyses and may inject tasks into the data-stream travelling over the targeted network.Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.
16. Explain each system calls used for process management in Linux.
Show answer
There are some system calls for process management. These are as follows:- `fork()`: it is used to create a new process
- `exec()`: it is used to execute a new process
- `wait()`: it is used to make the process to wait
- `exit()`: it is used to exit or terminate the process
- `getpid()`: it is used to find the unique process ID
- `getppid()`: it is used to check the parent process ID
- `nice()`: it is used to bias the currently running process property
17. Using a Linux system with a limited number of packages installed, and telnet is not available. Use sysfs virtual filesystem to test connection on all interfaces (without loopback).
Show answer
For example:```bash\n#!/usr/bin/bash\n\nfor iface in $(ls /sys/class/net/ | grep -v lo) ; do\n\n if [[ $(cat /sys/class/net/$iface/carrier) = 1 ]] ; then state=1 ; fi\n\ndone\n\nif [[ ${state:-0} -ne 1 ]] ; then echo "no connection" > /dev/stderr ; exit ; fi\n```
Remember: Key tools: ip(config), ss(connections), dig(DNS), ping/traceroute(reach).
Gotcha: Check iptables and ss when debugging connectivity.