Proper network configuration is essential for any Rocky Linux system, whether it’s a personal workstation, development server, or production environment. This comprehensive guide covers network configuration best practices, from basic setup to advanced configurations, ensuring your Rocky Linux system has reliable, secure, and optimized network connectivity.
Understanding Rocky Linux Networking
Rocky Linux inherits its networking stack from Red Hat Enterprise Linux, providing enterprise-grade networking capabilities. The system uses NetworkManager as the default network configuration daemon, offering both command-line and graphical tools for network management.
Key Components
- NetworkManager: The primary network configuration service
- nmcli: Command-line interface for NetworkManager
- nmtui: Text-based user interface for NetworkManager
- systemd-networkd: Alternative networking daemon
- Network Scripts: Legacy configuration method (deprecated)
Network Configuration Files
Important configuration files and directories:
/etc/NetworkManager/ # NetworkManager configuration
/etc/sysconfig/network-scripts/ # Legacy network scripts
/etc/hosts # Static hostname mappings
/etc/resolv.conf # DNS resolver configuration
/etc/hostname # System hostname
/proc/sys/net/ # Kernel network parametersNetworkManager vs Network Scripts
NetworkManager (Recommended)
NetworkManager is the modern, recommended approach for network configuration in Rocky Linux:
Advantages:
- Dynamic network management
- Better laptop/mobile device support
- Integrated VPN support
- D-Bus API for applications
- Automatic network detection
Check NetworkManager status:
sudo systemctl status NetworkManager
sudo nmcli general statusNetwork Scripts (Legacy)
While still supported, network scripts are considered legacy:
# Legacy configuration files
/etc/sysconfig/network-scripts/ifcfg-*Basic Network Configuration
Using nmcli
The nmcli command provides comprehensive network management:
# Show all connections
nmcli connection show
# Show device status
nmcli device status
# Show detailed device information
nmcli device show
# Show general NetworkManager status
nmcli general statusBasic Connection Management
# List all connections
nmcli con show
# Show specific connection details
nmcli con show "connection-name"
# Activate a connection
nmcli con up "connection-name"
# Deactivate a connection
nmcli con down "connection-name"
# Delete a connection
nmcli con delete "connection-name"Using nmtui
For a text-based interface:
# Launch NetworkManager TUI
sudo nmtui
# Directly edit connections
sudo nmtui edit
# Activate connections
sudo nmtui connectStatic IP Configuration
Method 1: Using nmcli
Create a new connection with static IP:
# Create new connection with static IP
sudo nmcli con add type ethernet con-name "static-eth0" ifname eth0 \
ipv4.addresses 192.168.1.100/24 \
ipv4.gateway 192.168.1.1 \
ipv4.dns "8.8.8.8,8.8.4.4" \
ipv4.method manual
# Activate the connection
sudo nmcli con up "static-eth0"Method 2: Modifying Existing Connection
# Modify existing connection to static IP
sudo nmcli con mod "System eth0" \
ipv4.addresses 192.168.1.100/24 \
ipv4.gateway 192.168.1.1 \
ipv4.dns "8.8.8.8,8.8.4.4" \
ipv4.method manual
# Apply changes
sudo nmcli con up "System eth0"Method 3: Using Configuration Files
Edit NetworkManager connection files:
# Create/edit connection file
sudo nano /etc/NetworkManager/system-connections/static-eth0.nmconnectionExample configuration:
[connection]
id=static-eth0
type=ethernet
interface-name=eth0
[ethernet]
[ipv4]
method=manual
addresses=192.168.1.100/24
gateway=192.168.1.1
dns=8.8.8.8;8.8.4.4;
[ipv6]
method=ignoreApply changes:
sudo chmod 600 /etc/NetworkManager/system-connections/static-eth0.nmconnection
sudo nmcli con reload
sudo nmcli con up static-eth0Network Bonding and Teaming
Network Bonding
Bonding combines multiple network interfaces for redundancy or increased throughput:
# Create bond master
sudo nmcli con add type bond con-name bond0 ifname bond0 \
bond.options "mode=active-backup,miimon=100"
# Add slave interfaces
sudo nmcli con add type ethernet con-name bond0-slave1 \
ifname eth0 master bond0
sudo nmcli con add type ethernet con-name bond0-slave2 \
ifname eth1 master bond0
# Configure IP for bond
sudo nmcli con mod bond0 \
ipv4.addresses 192.168.1.100/24 \
ipv4.gateway 192.168.1.1 \
ipv4.dns 8.8.8.8 \
ipv4.method manual
# Activate bond
sudo nmcli con up bond0Bond Modes
Common bonding modes:
# Mode 0: Round-robin (load balancing)
bond.options "mode=balance-rr"
# Mode 1: Active-backup (failover)
bond.options "mode=active-backup"
# Mode 2: XOR (load balancing)
bond.options "mode=balance-xor"
# Mode 4: 802.3ad (LACP)
bond.options "mode=802.3ad,lacp_rate=fast"
# Mode 6: Adaptive load balancing
bond.options "mode=balance-alb"Network Teaming (Alternative to Bonding)
Teaming is a newer alternative to bonding:
# Install teamd
sudo dnf install teamd
# Create team interface
sudo nmcli con add type team con-name team0 ifname team0 \
team.config '{"runner": {"name": "activebackup"}}'
# Add team slaves
sudo nmcli con add type ethernet con-name team0-port1 \
ifname eth0 master team0
sudo nmcli con add type ethernet con-name team0-port2 \
ifname eth1 master team0
# Monitor team status
sudo teamdctl team0 stateVLAN Configuration
Creating VLANs
Configure VLAN tagging for network segmentation:
# Create VLAN interface
sudo nmcli con add type vlan con-name vlan10 \
dev eth0 id 10
# Configure IP for VLAN
sudo nmcli con mod vlan10 \
ipv4.addresses 192.168.10.100/24 \
ipv4.method manual
# Activate VLAN
sudo nmcli con up vlan10Multiple VLANs on Single Interface
# VLAN 10
sudo nmcli con add type vlan con-name vlan10 \
dev eth0 id 10 \
ipv4.addresses 192.168.10.100/24 \
ipv4.method manual
# VLAN 20
sudo nmcli con add type vlan con-name vlan20 \
dev eth0 id 20 \
ipv4.addresses 192.168.20.100/24 \
ipv4.method manual
# Activate both
sudo nmcli con up vlan10
sudo nmcli con up vlan20IPv6 Configuration
Enable IPv6
# Check IPv6 status
sudo sysctl net.ipv6.conf.all.disable_ipv6
# Enable IPv6 globally
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0Static IPv6 Configuration
# Add IPv6 address
sudo nmcli con mod "System eth0" \
ipv6.addresses "2001:db8::100/64" \
ipv6.gateway "2001:db8::1" \
ipv6.dns "2001:4860:4860::8888" \
ipv6.method manual
# Apply changes
sudo nmcli con up "System eth0"IPv6 Autoconfiguration
# Enable SLAAC (Stateless Address Autoconfiguration)
sudo nmcli con mod "System eth0" \
ipv6.method auto
# Enable DHCPv6
sudo nmcli con mod "System eth0" \
ipv6.method dhcpIPv6 Privacy Extensions
# Enable privacy extensions
sudo nmcli con mod "System eth0" \
ipv6.ip6-privacy 2
# Values:
# 0 = disabled
# 1 = enabled (prefer public address)
# 2 = enabled (prefer temporary address)Network Security Best Practices
1. Firewall Configuration
# Enable firewalld
sudo systemctl enable --now firewalld
# Check firewall status
sudo firewall-cmd --state
# List active zones
sudo firewall-cmd --get-active-zones
# Add service to firewall
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload2. Disable Unnecessary Services
# List network services
sudo ss -tulpn
# Disable unnecessary services
sudo systemctl disable --now telnet.socket
sudo systemctl disable --now rsh.socket
sudo systemctl disable --now rlogin.socket3. Network Parameter Hardening
Create security sysctl configuration:
sudo nano /etc/sysctl.d/99-network-security.confAdd security parameters:
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Log Martians
net.ipv4.conf.all.log_martians = 1
# Ignore ICMP ping requests
net.ipv4.icmp_echo_ignore_all = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable TCP/IP SYN cookies
net.ipv4.tcp_syncookies = 1
# Enable TCP time stamps
net.ipv4.tcp_timestamps = 1Apply settings:
sudo sysctl -p /etc/sysctl.d/99-network-security.conf4. SELinux Network Policies
# Check SELinux status
getenforce
# View network-related SELinux booleans
sudo getsebool -a | grep network
# Example: Allow httpd network connections
sudo setsebool -P httpd_can_network_connect onPerformance Optimization
1. Network Buffer Tuning
sudo nano /etc/sysctl.d/99-network-performance.confAdd performance parameters:
# Increase Linux autotuning TCP buffer limits
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 87380 134217728
net.ipv4.tcp_wmem = 4096 65536 134217728
# Increase netdev budget
net.core.netdev_budget = 50000
net.core.netdev_budget_usecs = 5000
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 25165824
# Increase the maximum number of incoming connections
net.core.somaxconn = 65535
# Increase the maximum backlog
net.core.netdev_max_backlog = 50000Apply settings:
sudo sysctl -p /etc/sysctl.d/99-network-performance.conf2. NIC Offloading
# Check offload settings
sudo ethtool -k eth0
# Enable offloading features
sudo ethtool -K eth0 tx on rx on
sudo ethtool -K eth0 gso on gro on
sudo ethtool -K eth0 tso on3. Interrupt Coalescing
# Check current settings
sudo ethtool -c eth0
# Adjust interrupt coalescing
sudo ethtool -C eth0 adaptive-rx on adaptive-tx on4. CPU Affinity for Network Interrupts
# Show interrupt assignments
cat /proc/interrupts | grep eth0
# Set CPU affinity
echo 2 > /proc/irq/24/smp_affinity_listTroubleshooting Network Issues
Basic Diagnostic Commands
# Check IP configuration
ip addr show
ip route show
# Test connectivity
ping -c 4 google.com
ping6 -c 4 google.com
# DNS resolution
nslookup google.com
dig google.com
host google.com
# Trace route
traceroute google.com
tracepath google.com
# Show network statistics
ss -tuln
netstat -tuln
# Show network connections
ss -tpNetworkManager Troubleshooting
# View NetworkManager logs
sudo journalctl -u NetworkManager
# Enable debug logging
sudo nmcli general logging level DEBUG
# Monitor NetworkManager events
sudo nmcli monitor
# Check connection profile
nmcli -f all con show "connection-name"Common Issues and Solutions
1. Connection Not Working After Reboot
# Ensure connection auto-connects
sudo nmcli con mod "connection-name" connection.autoconnect yes
# Check if NetworkManager is enabled
sudo systemctl enable NetworkManager2. DNS Resolution Issues
# Check DNS servers
cat /etc/resolv.conf
# Test specific DNS server
dig @8.8.8.8 google.com
# Flush DNS cache
sudo systemctl restart systemd-resolved3. Network Interface Not Detected
# List all network interfaces
ip link show
# Check if interface is managed by NetworkManager
nmcli device status
# Rescan for devices
sudo nmcli device reapply eth04. Slow Network Performance
# Check for errors
ip -s link show eth0
# Test network speed
sudo dnf install iperf3
iperf3 -s # On server
iperf3 -c server_ip # On client
# Check MTU settings
ip link show eth0 | grep mtu
# Adjust MTU if needed
sudo nmcli con mod "connection-name" ethernet.mtu 9000Advanced Configurations
Network Bridges
Create a bridge for virtualization:
# Create bridge
sudo nmcli con add type bridge con-name br0 ifname br0
# Add physical interface to bridge
sudo nmcli con add type ethernet con-name br0-slave \
ifname eth0 master br0
# Configure bridge IP
sudo nmcli con mod br0 \
ipv4.addresses 192.168.1.100/24 \
ipv4.gateway 192.168.1.1 \
ipv4.dns 8.8.8.8 \
ipv4.method manual
# Enable STP (Spanning Tree Protocol)
sudo nmcli con mod br0 bridge.stp yes
# Activate bridge
sudo nmcli con up br0Policy-Based Routing
# Add routing table
echo "200 custom" | sudo tee -a /etc/iproute2/rt_tables
# Add routing rules
sudo ip rule add from 192.168.1.0/24 table custom
sudo ip route add default via 192.168.1.1 dev eth0 table custom
# Make persistent with NetworkManager
sudo nmcli con mod "connection-name" \
ipv4.routes "192.168.2.0/24 192.168.1.1" \
ipv4.route-metric 100WireGuard VPN
# Install WireGuard
sudo dnf install wireguard-tools
# Generate keys
wg genkey | tee privatekey | wg pubkey > publickey
# Create configuration
sudo nano /etc/wireguard/wg0.confExample WireGuard configuration:
[Interface]
PrivateKey = <private_key>
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = <peer_public_key>
AllowedIPs = 10.0.0.2/32
Endpoint = peer.example.com:51820Start WireGuard:
sudo systemctl enable --now wg-quick@wg0Network Namespaces
# Create network namespace
sudo ip netns add isolated
# Create veth pair
sudo ip link add veth0 type veth peer name veth1
# Move interface to namespace
sudo ip link set veth1 netns isolated
# Configure interfaces
sudo ip addr add 192.168.100.1/24 dev veth0
sudo ip link set veth0 up
sudo ip netns exec isolated ip addr add 192.168.100.2/24 dev veth1
sudo ip netns exec isolated ip link set veth1 upBest Practices Summary
- Use NetworkManager: It’s the modern, supported method for network configuration
- Document Your Configuration: Keep records of network settings and changes
- Test Before Production: Always test network changes in a non-production environment
- Enable Monitoring: Set up network monitoring to detect issues early
- Regular Updates: Keep your system and NetworkManager updated
- Security First: Implement firewall rules and network hardening
- Backup Configurations: Keep backups of working network configurations
- Use Meaningful Names: Give connections descriptive names for easy management
- Automate Where Possible: Use scripts for repetitive network tasks
- Monitor Performance: Regularly check network performance metrics
Conclusion
Proper network configuration is crucial for Rocky Linux systems. By following these best practices, you can ensure reliable, secure, and high-performance networking. Remember to:
- Always test changes before applying to production
- Keep security as a top priority
- Document your network architecture
- Monitor network performance and health
- Stay updated with the latest networking features and security patches
Whether you’re managing a single server or a complex network infrastructure, these practices will help you maintain robust network connectivity on Rocky Linux.
