Introduction
Welcome, Network Navigator! You've just been hired as a Junior System Administrator at a fast-growing tech startup. This morning, a critical web server has gone offline. Users are reporting they can't access the company's internal portal.
Your senior admin is tied up in a meeting and has tasked you with the initial diagnosis. It's your time to shine! Your mission is to systematically investigate the server's network status, identify the root cause, and restore connectivity. Let's get this server back online!
- Temporarily skip the challenge and continue with subsequent Guided Labs in the Linux learning path.
- Discuss with Labby or view the solution.
Checking Network Interface Status
Your first step as a Network Navigator is to gather basic information. Is the network hardware even recognized and active? You need to check the status of all network interfaces on the server. The modern tool for this job is the ip command.
Tasks
- Use the
ipcommand to display the status and configuration of all network interfaces.
Requirements
- You must use the
ip addrcommand to perform this check.
Examples
After running the command, you should see output showing network interfaces like lo (loopback) and eth0 (or similar). Look for the state of your main interface - it should show UP to indicate it's active.
## Expected output format (interface names may vary)
1: lo: 65536 qdisc noqueue state UNKNOWN group default qlen 1000 < LOOPBACK,UP,LOWER_UP > mtu
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: 1500 qdisc mq state UP group default qlen 1000 < BROADCAST,MULTICAST,UP,LOWER_UP > mtu
link/ether 00:16:3e:04:b0:40 brd ff:ff:ff:ff:ff:ff
inet 172.16.50.108/24 metric 100 brd 172.16.50.255 scope global dynamic eth0
valid_lft 1892159216sec preferred_lft 1892159216sec
Hints
- The
ipcommand is a powerful tool with many subcommands. The one for managing addresses isaddr. - You can use
ip addr showor its shorter aliasip addr.
Verifying IP Address Configuration
Okay, the interface is UP. That's a good start. But does it have an IP address? An interface without an IP address can't communicate on the network. While ip addr shows this, let's use another classic command, ifconfig, to double-check. It's good to know multiple tools for the same job.
Tasks
- Use the
ifconfigcommand to verify the IP address configuration.
Requirements
- You must use the
ifconfigcommand.
Examples
The output should display your network interfaces with their IP addresses. Look for the inet field under your main network interface (like eth0) to confirm the IP configuration.
## Expected output showing IP configuration
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.50.108 netmask 255.255.255.0 broadcast 172.16.50.255
ether 00:16:3e:04:b0:40 txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
Hints
- The
ifconfigcommand is part of thenet-toolspackage, which we've already installed for you. - Running
ifconfigwithout any arguments will display all active interfaces.
Testing Connectivity to Remote Hosts
The server has an active interface and an IP address. The next logical step is to check if it can reach the outside world. A failure here could indicate a problem with the gateway or DNS settings. The ping command is the perfect tool for this test.
Tasks
- Test the server's connectivity to the internet by sending exactly 3 ICMP packets to Google's public DNS server at
8.8.8.8.
Requirements
- You must use the
pingcommand. - You must limit the number of packets sent to 3.
- The target IP address must be
8.8.8.8.
Examples
If connectivity is working, you should see replies from the target IP address with timing information. The summary at the end should show 3 packets transmitted and 3 packets received with 0% packet loss.
## Expected successful output pattern
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=4.33 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=4.30 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=4.30 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 4.298/4.309/4.329/0.014 ms
Hints
- The
pingcommand will run indefinitely unless you tell it to stop. - Use the
-coption to specify thecount of packets to send.
Inspecting Open Network Ports
Connectivity is good! So, why is the internal portal still inaccessible? The problem might be with the application itself. Is the web server process actually running and listening for connections on the correct port? The ss (socket statistics) command is a modern and fast tool to investigate this.
Tasks
- The internal portal is supposed to be running on port
8000. Use thesscommand to check if any process is listening for TCP connections on port8000.
Requirements
- You must use the
sscommand. - Your command should be constructed to show listening TCP sockets.
Examples
If a process is listening on port 8000, you should see output containing information about the listening socket. Look for a line that shows port 8000 in the Local Address column.
## Expected output showing a listening process on port 8000
LISTEN 0 5 0.0.0.0:8000 0.0.0.0:* users:(("python3",pid=3765,fd=3))
Hints
- The
sscommand has several useful flags:-t: ShowTCP sockets.-l: Showlistening sockets.-n: Shownumeric port numbers instead of service names.-p: Show theprocess using the socket.
- You can combine these flags, like
ss -tlnp. - To find a specific port, you can pipe the output of
ssto thegrepcommand. For example:ss -tlnp | grep 8000.
Configuring Basic Firewall Rules
You've confirmed it all: the interface is up, the IP is set, internet connectivity works, and the application is listening on the correct port. There's only one major suspect left: the firewall. It's likely blocking incoming traffic to the portal. Your final task is to configure the firewall to deny access to the portal. We'll use ufw (Uncomplicated Firewall), a user-friendly front-end for managing firewall rules.
Tasks
- Add a firewall rule to deny incoming traffic on port
8000. - Add a firewall rule to allow incoming SSH traffic (port 22).
- Enable the firewall to apply the new rules.
Requirements
- You must use the
ufwcommand for all operations. - You must use
sudobecause modifying firewall rules requires administrative privileges.
Examples
After configuring the firewall rules, running sudo ufw status should show that the firewall is active with port 8000 denied and SSH (port 22) allowed.
## Expected output after enabling firewall with port 8000 denied and SSH allowed
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
8000 DENY Anywhere
22 (v6) ALLOW Anywhere (v6)
8000 (v6) DENY Anywhere (v6)
When adding the rule, you should see:
Rules updated
Rules updated (v6)
When enabling the firewall, you should see:
Firewall is active and enabled on system startup
Hints
- The syntax for
ufwis very straightforward. To deny traffic on a port, useufw deny <port>. - You can deny traffic on port 8000 using
ufw deny 8000. - You can allow SSH traffic specifically using
ufw allow sshorufw allow 22. - Critical Warning: If you do not properly open the SSH port (22), verification will fail because verification depends on this port for SSH connectivity.
- Important Warning: Do not modify firewall rules for other ports arbitrarily, as this may cause online VM failures.
- After adding your rules, you must enable the firewall with
ufw enable.
Summary
Excellent work, Navigator! By systematically checking the network interfaces, verifying IP configuration, testing connectivity, inspecting open ports, and finally configuring the firewall, you have successfully diagnosed and resolved the issue. The internal portal is now back online, and you've earned the respect of your team.
You've demonstrated a solid grasp of fundamental Linux networking tools like ip, ifconfig, ping, ss, and ufw. This logical, step-by-step troubleshooting process is a critical skill for any system administrator and will be invaluable in your career. Keep honing your skills!
