Use when you have a written implementation plan to execute in a separate session with review checkpoints
rocky-networking
0
0
# Install this skill:
npx skills add netsapiensis/claude-code-skills --skill "rocky-networking"
Install specific skill from multi-skill repository
# Description
Rocky Linux 8/9 networking including firewalld zones/services/rich rules, nmcli connection management, bonding, VLANs, static routes, DNS, and port forwarding. Use when configuring network interfaces, firewall rules, bonds, VLANs, or troubleshooting connectivity.
# SKILL.md
name: rocky-networking
description: Rocky Linux 8/9 networking including firewalld zones/services/rich rules, nmcli connection management, bonding, VLANs, static routes, DNS, and port forwarding. Use when configuring network interfaces, firewall rules, bonds, VLANs, or troubleshooting connectivity.
Rocky Linux Networking
firewalld, NetworkManager (nmcli), bonding, VLANs, routing, and DNS for Rocky Linux 8/9.
Prerequisite: See rocky-foundation for OS detection and safety tier definitions.
Network Inspection
# IP addresses # [READ-ONLY]
ip addr show
ip -4 addr show # IPv4 only
ip -6 addr show # IPv6 only
# Routing table # [READ-ONLY]
ip route show
ip -6 route show
# DNS resolution # [READ-ONLY]
cat /etc/resolv.conf
resolvectl status # systemd-resolved (if active)
nmcli dev show | grep DNS
# Open ports/connections # [READ-ONLY]
ss -tlnp # TCP listening
ss -ulnp # UDP listening
ss -s # Summary statistics
# Interface status # [READ-ONLY]
nmcli device status
nmcli connection show
nmcli connection show "System eth0" # Detailed connection info
ethtool eth0 # Link status and speed
Version Differences: Networking
| Feature | Rocky 8 | Rocky 9 |
|---|---|---|
| NM connection format | ifcfg (default) | key-file (default) |
| Config location | /etc/sysconfig/network-scripts/ |
/etc/NetworkManager/system-connections/ |
| Firewall backend | iptables | nftables |
network-scripts |
Available | Deprecated/removed |
ifup/ifdown |
Available | Use nmcli instead |
NetworkManager (nmcli)
Connection Management
# List connections # [READ-ONLY]
nmcli connection show
nmcli connection show --active
nmcli -t -f NAME,UUID,TYPE,DEVICE connection show # Terse output
# Show connection details # [READ-ONLY]
nmcli connection show "System eth0"
# Create static IP connection # [CONFIRM]
nmcli connection add type ethernet \
con-name "eth0-static" \
ifname eth0 \
ipv4.addresses "192.168.1.100/24" \
ipv4.gateway "192.168.1.1" \
ipv4.dns "8.8.8.8,8.8.4.4" \
ipv4.method manual
# Create DHCP connection # [CONFIRM]
nmcli connection add type ethernet \
con-name "eth0-dhcp" \
ifname eth0 \
ipv4.method auto
# Modify existing connection # [CONFIRM]
nmcli connection modify "System eth0" ipv4.dns "1.1.1.1,8.8.8.8"
nmcli connection modify "System eth0" ipv4.addresses "10.0.0.50/24"
nmcli connection modify "System eth0" +ipv4.addresses "10.0.0.51/24" # Add secondary IP
# Apply changes # [CONFIRM]
nmcli connection up "System eth0"
# Delete connection # [CONFIRM]
nmcli connection delete "old-connection"
WRONG -- editing ifcfg files on Rocky 9:
# WRONG on Rocky 9: ifcfg files are deprecated
vim /etc/sysconfig/network-scripts/ifcfg-eth0
# CORRECT: Use nmcli (works on both Rocky 8 and 9)
nmcli connection modify "System eth0" ipv4.addresses "10.0.0.50/24"
nmcli connection up "System eth0"
Static Routes
# Add static route # [CONFIRM]
nmcli connection modify "System eth0" +ipv4.routes "10.10.0.0/16 192.168.1.254"
nmcli connection up "System eth0"
# Add route with metric # [CONFIRM]
nmcli connection modify "System eth0" +ipv4.routes "10.10.0.0/16 192.168.1.254 100"
# Remove static route # [CONFIRM]
nmcli connection modify "System eth0" -ipv4.routes "10.10.0.0/16 192.168.1.254"
nmcli connection up "System eth0"
# Temporary route (lost on reboot) # [CONFIRM]
ip route add 10.10.0.0/16 via 192.168.1.254
# View routes # [READ-ONLY]
ip route show
nmcli connection show "System eth0" | grep route
DNS Configuration
# Set DNS servers # [CONFIRM]
nmcli connection modify "System eth0" ipv4.dns "1.1.1.1 8.8.8.8"
nmcli connection modify "System eth0" ipv4.dns-search "example.com"
nmcli connection up "System eth0"
# Prevent DHCP from overwriting DNS # [CONFIRM]
nmcli connection modify "System eth0" ipv4.ignore-auto-dns yes
# Test DNS resolution # [READ-ONLY]
dig example.com
nslookup example.com
host example.com
Bonding (Link Aggregation)
Create Bond
# Create bond interface # [CONFIRM]
nmcli connection add type bond \
con-name bond0 \
ifname bond0 \
bond.options "mode=802.3ad,miimon=100,lacp_rate=fast"
# Add slave interfaces # [CONFIRM]
nmcli connection add type ethernet \
con-name bond0-slave1 \
ifname eth0 \
master bond0
nmcli connection add type ethernet \
con-name bond0-slave2 \
ifname eth1 \
master bond0
# Configure IP on bond # [CONFIRM]
nmcli connection modify bond0 \
ipv4.addresses "10.0.0.100/24" \
ipv4.gateway "10.0.0.1" \
ipv4.method manual
# Activate # [CONFIRM]
nmcli connection up bond0
nmcli connection up bond0-slave1
nmcli connection up bond0-slave2
Bond Modes
| Mode | Name | Use Case |
|---|---|---|
| 0 | balance-rr | Round-robin (requires switch support) |
| 1 | active-backup | Failover only (no switch config needed) |
| 2 | balance-xor | Load balance by MAC |
| 4 | 802.3ad | LACP (requires switch support) |
| 5 | balance-tlb | Adaptive TX load balance |
| 6 | balance-alb | Adaptive load balance |
Most common: mode=active-backup (no switch config) or mode=802.3ad (with LACP switch support).
Monitor Bond
# Bond status # [READ-ONLY]
cat /proc/net/bonding/bond0
nmcli connection show bond0
VLANs
# Create VLAN interface # [CONFIRM]
nmcli connection add type vlan \
con-name vlan100 \
ifname eth0.100 \
dev eth0 \
id 100 \
ipv4.addresses "10.100.0.10/24" \
ipv4.method manual
# VLAN on bond # [CONFIRM]
nmcli connection add type vlan \
con-name bond0-vlan200 \
ifname bond0.200 \
dev bond0 \
id 200 \
ipv4.addresses "10.200.0.10/24" \
ipv4.method manual
# Activate VLAN # [CONFIRM]
nmcli connection up vlan100
# Verify # [READ-ONLY]
ip -d link show eth0.100
cat /proc/net/vlan/eth0.100
Firewall Management (firewalld)
Basic Operations
# Status # [READ-ONLY]
firewall-cmd --state
systemctl status firewalld
# List current rules # [READ-ONLY]
firewall-cmd --list-all # Default zone
firewall-cmd --list-all --zone=public # Specific zone
firewall-cmd --list-all-zones # All zones
firewall-cmd --get-active-zones
# List available services # [READ-ONLY]
firewall-cmd --get-services
firewall-cmd --info-service=http
Managing Services and Ports
# Add a service (runtime only) # [CONFIRM]
firewall-cmd --add-service=http
# Add a service (permanent) # [CONFIRM]
firewall-cmd --add-service=https --permanent
firewall-cmd --reload # Apply permanent changes
# Or add and make permanent in one step # [CONFIRM]
firewall-cmd --add-service=https --permanent
firewall-cmd --add-service=https # Also apply at runtime
# Remove a service # [CONFIRM]
firewall-cmd --remove-service=http --permanent
firewall-cmd --reload
# Add a port # [CONFIRM]
firewall-cmd --add-port=8080/tcp --permanent
firewall-cmd --reload
# Add port range # [CONFIRM]
firewall-cmd --add-port=9200-9300/tcp --permanent
firewall-cmd --reload
# Remove a port # [CONFIRM]
firewall-cmd --remove-port=8080/tcp --permanent
firewall-cmd --reload
WRONG -- forgetting --permanent:
# WRONG: Runtime-only change, lost on firewalld restart/reload
firewall-cmd --add-service=https
# This works now but disappears after reload!
# CORRECT: Always use --permanent and reload (or do both)
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
Zones
# List zones # [READ-ONLY]
firewall-cmd --get-zones
firewall-cmd --get-default-zone
# Set default zone # [CONFIRM]
firewall-cmd --set-default-zone=internal
# Assign interface to zone # [CONFIRM]
firewall-cmd --zone=internal --change-interface=eth1 --permanent
firewall-cmd --reload
# Create custom zone # [CONFIRM]
firewall-cmd --permanent --new-zone=appservers
firewall-cmd --reload
firewall-cmd --zone=appservers --add-service=http --permanent
firewall-cmd --zone=appservers --add-service=https --permanent
firewall-cmd --reload
Common Zone Purposes
| Zone | Default Behavior |
|---|---|
drop |
Drop all incoming, no reply |
block |
Reject all incoming with icmp-host-prohibited |
public |
Default zone. Only selected services allowed |
external |
NAT masquerading. For external-facing networks |
internal |
More trusted. More services than public |
trusted |
All traffic accepted |
Rich Rules
For complex firewall rules beyond simple service/port:
# Allow specific source IP to a port # [CONFIRM]
firewall-cmd --permanent --add-rich-rule='
rule family="ipv4"
source address="10.0.0.0/8"
port protocol="tcp" port="9200"
accept'
firewall-cmd --reload
# Rate limit SSH connections # [CONFIRM]
firewall-cmd --permanent --add-rich-rule='
rule family="ipv4"
service name="ssh"
accept limit value="10/m"'
firewall-cmd --reload
# Reject specific source # [CONFIRM]
firewall-cmd --permanent --add-rich-rule='
rule family="ipv4"
source address="192.168.1.100"
reject'
firewall-cmd --reload
# Log and accept # [CONFIRM]
firewall-cmd --permanent --add-rich-rule='
rule family="ipv4"
source address="10.0.0.0/8"
port protocol="tcp" port="22"
log prefix="SSH-ACCESS: " level="info"
accept'
firewall-cmd --reload
# List rich rules # [READ-ONLY]
firewall-cmd --list-rich-rules
firewall-cmd --zone=public --list-rich-rules
# Remove rich rule # [CONFIRM]
firewall-cmd --permanent --remove-rich-rule='<exact rule text>'
firewall-cmd --reload
Port Forwarding
# Forward port 80 to internal host # [CONFIRM]
firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.0.0.50
firewall-cmd --reload
# Enable masquerading (needed for forwarding to different host) # [CONFIRM]
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
# Local port forwarding # [CONFIRM]
firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=8080
firewall-cmd --reload
# List forwarded ports # [READ-ONLY]
firewall-cmd --list-forward-ports
IP Sets
# Create IP set # [CONFIRM]
firewall-cmd --permanent --new-ipset=blocklist --type=hash:ip
firewall-cmd --reload
# Add IPs to set # [CONFIRM]
firewall-cmd --permanent --ipset=blocklist --add-entry=192.168.1.100
firewall-cmd --permanent --ipset=blocklist --add-entry=10.0.0.50
firewall-cmd --reload
# Use IP set in rich rule # [CONFIRM]
firewall-cmd --permanent --add-rich-rule='
rule family="ipv4"
source ipset="blocklist"
drop'
firewall-cmd --reload
# List IP set entries # [READ-ONLY]
firewall-cmd --ipset=blocklist --get-entries
Custom Services
# Create custom service # [CONFIRM]
firewall-cmd --permanent --new-service=myapp
firewall-cmd --permanent --service=myapp --set-description="My Application"
firewall-cmd --permanent --service=myapp --add-port=8080/tcp
firewall-cmd --permanent --service=myapp --add-port=8443/tcp
firewall-cmd --reload
# Use custom service # [CONFIRM]
firewall-cmd --add-service=myapp --permanent
firewall-cmd --reload
Network Troubleshooting
# Connectivity tests # [READ-ONLY]
ping -c 4 8.8.8.8
ping -c 4 -6 2001:4860:4860::8888
traceroute 8.8.8.8
mtr --report 8.8.8.8
# DNS troubleshooting # [READ-ONLY]
dig example.com
dig @8.8.8.8 example.com # Query specific server
dig example.com +short
nslookup example.com
# Port connectivity # [READ-ONLY]
ss -tlnp | grep :80
nc -zv remote-host 443
curl -v https://example.com 2>&1 | head -20
# Packet capture # [READ-ONLY]
tcpdump -i eth0 -n port 80 -c 20
tcpdump -i eth0 -n host 10.0.0.50
# Network statistics # [READ-ONLY]
ip -s link show eth0
nstat
Kernel Network Parameters
# View current settings # [READ-ONLY]
sysctl net.ipv4.ip_forward
sysctl -a | grep net.ipv4
# Enable IP forwarding # [CONFIRM]
# Temporary:
sysctl -w net.ipv4.ip_forward=1
# Permanent: /etc/sysctl.d/99-network.conf
# net.ipv4.ip_forward = 1
# Apply sysctl changes # [CONFIRM]
sysctl -p /etc/sysctl.d/99-network.conf
Checklist: New Server Network Setup
- [ ] Verify interface names (
nmcli device status) - [ ] Configure static IP or DHCP (
nmcli connection modify) - [ ] Set DNS servers
- [ ] Set hostname (
hostnamectl set-hostname) - [ ] Configure firewalld default zone
- [ ] Open required service ports
- [ ] Add static routes if needed
- [ ] Test connectivity (
ping,dig,curl) - [ ] Test firewall rules from external host
When to Use This Skill
- Configuring IP addresses, DNS, or routes
- Setting up firewall rules (firewalld)
- Creating network bonds or VLANs
- Port forwarding or NAT
- Troubleshooting connectivity or DNS issues
- Migrating from ifcfg to key-file format (Rocky 8 -> 9)
Related Skills
- rocky-foundation -- OS detection (network config format differs by version)
- rocky-selinux -- SELinux port labeling for non-standard ports
- rocky-security-hardening -- SSH hardening, fail2ban
- rocky-webstack -- Web server and reverse proxy networking
- rocky-opensearch -- OpenSearch cluster network ports
# Related Skills
Use when starting any conversation - establishes how to find and use skills, requiring Skill...
|
|
# Supported AI Coding Agents
This skill is compatible with the SKILL.md standard and works with all major AI coding agents:
Amp
Antigravity
Claude Code
Clawdbot
Codex
Cursor
Droid
Gemini CLI
GitHub Copilot
Goose
Kilo Code
Kiro CLI
OpenCode
Roo Code
Trae
Windsurf
Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.