Show Menu
Cheatography

iproute2 Cheat Sheet by

iproute2 is the Linux networking toolkit that replaced net-tools in the early 2000's. Based on the work of Daniil Baturin (daniil at baturin dot org) under license CC-BY-SA.

Address management

In this section ${address} value should be a host address in dotted decimal format, and ${mask} can be either a dotted decimal subnet mask or a prefix length. That is, both 192.0.2.10/24 and 192.0.2.1­0/2­55.2­55.255.0 are equally accept­able.
Show all addresses
ip address show
All "­sho­w" commands can be used with "­-4" or "­-6" options to show only IPv4 or IPv6 addresses.
Show addresses for a single interface
ip address show ${inte­rface name}
ip address show eth0
Show addresses only for running interfaces
ip address show up
Show only statically configured addresses
ip address show [dev ${inte­rface}] permanent
Show only addresses learnt via autoco­nfi­gur­ation
ip address show [dev ${inte­rface}] dynamic
Add an address to an interface
ip address add ${addr­ess­}/$­{mask} dev ${inte­rface name}
ip address add 192.0.2.10/27 dev eth0
ip address add 2001:d­b8:­1::/48 dev tun10
You can add as many addresses as you want. The first address will be primary and will be used as source address by default.
Add an address with human-­rea­dable descri­ption
ip address add ${addr­ess­}/$­{mask} dev ${inte­rface name} label ${inte­rface name}:­${d­esc­rip­tion}
ip address add 192.0.2.1/24 dev eth0 label eth0:m­y_w­an_­address
Interface name with a colon before label is required, some backwards compat­ibility issue.
Delete an address
ip address delete ${addr­ess­}/$­{pr­efix} dev ${inte­rface name}
ip address delete 192.0.2.1/24 dev eth0
Interface name argument is required. Linux does allow to use the same address on multiple interfaces and it has valid use cases.
Remove all addresses from an interface
ip address flush dev ${inte­rface name}
ip address flush dev eth1
Metasy­ntactic variables are written in shell-­style syntax, ${some­thing}. Optional command parts are in square brackets. Note that there is no way to rearrange addresses and replace the primary address. Make sure you set the primary address first.

Route management

View all routes
ip route
ip route show
View IPv6 routes
ip -6 route
View routes to a network and all its subnets
ip route show to root ${addr­ess­}/$­{mask}
ip route show to root 192.16­8.0.0/24
View routes to a network and all supernets
ip route show to match ${addr­ess­}/$­{mask}
ip route show to match 192.16­8.0.0/24
View routes to exact subnet
ip route show to exact ${addr­ess­}/$­{mask}
ip route show to exact 192.16­8.0.0/24
View only the route actually used by the kernel
ip route get ${addr­ess­}/$­{mask}
ip route get 192.16­8.0.0/24
Note that in complex routing scenarios like multipath routing, the result may be "­correct but not comple­te", as it always shows one route that will be used first.
View route cache (pre 3.6 kernels only)
ip route show cached
Until the version 3.6, Linux used route caching. In older kernels, this command displays the contents of the route cache. It can be used with modifiers described above. In newer kernels it does nothing.
Add a route via gateway
ip route add ${addr­ess­}/$­{mask} via ${next hop}
ip route add 192.0.2.1­28/25 via 192.0.2.1
ip route add 2001:d­b8:­1::/48 via 2001:d­b8:1::1
Add a route via interface
ip route add ${addr­ess­}/$­{mask} dev ${inte­rface name}
ip route add 192.0.2.0/25 dev ppp0
Interface routes are commonly used with point-­to-­point interfaces like PPP tunnels where next hop address is not required.
Change or replace a route
ip route change 192.16­8.2.0/24 via 10.0.0.1
ip route replace 192.0.2.1/27 dev tun0
Delete a route
ip route delete ${rest of the route statement}
ip route delete 10.0.1.0/25 via 10.0.0.1
ip route delete default dev ppp0
Default route
ip route add default via ${addr­ess­}/$­{mask}
ip route add default dev ${inte­rface name}
ip -6 route add default via 2001:d­b8::1
Blackhole routes
ip route add blackhole ${addr­ess­}/$­{mask}
ip route add blackhole 192.0.2.1/32
Traffic to destin­ations that match a blackhole route is silently discarded.
Other special routes : unreac­hable
ip route add unreac­hable ${addr­ess­}/$­{mask}
 
Sends ICMP "host unreac­hab­le". These routes make the system discard packets and reply with an ICMP error message to the sender.
Other special routes : prohibit
ip route add prohibit ${addr­ess­}/$­{mask}
 
Sends ICMP "­adm­ini­str­atively prohib­ite­d".
Other special routes : throw
ip route add throw ${addr­ess­}/$­{mask}
 
Sends "net unreac­hab­le".
Routes with different metric
ip route add ${addr­ess­}/$­{mask} via ${gateway} metric ${number}
ip route add 192.16­8.2.0/24 via 10.0.1.1 metric 5
ip route add 192.16­8.2.0 dev ppp0 metric 10
Multipath routing
ip route add ${addr­ess­s}/­${mask} nexthop via ${gateway 1} weight ${number} nexthop via ${gateway 2} weight ${number}
ip route add default nexthop via 192.16­8.1.1 weight 1 nexthop dev ppp0 weight 10
As per the section below, if you set up a static route, and it becomes useless because the interface goes down, it will be removed and never get back on its own. You may not have noticed this behaviour because in many cases additional software (e.g. Networ­kMa­nager or rp-pppoe) takes care of restoring routes associated with interf­aces.

Link management

Show inform­ation about all links
ip link show
ip link list
Show inform­ation about specific link
ip link show dev ${inte­rface name}
ip link show dev eth0
ip link show dev tun10
Bring a link up or down
ip link set dev ${inte­rface name} [up | down]
ip link set dev eth0 down
ip link set dev br0 up
Set human-­rea­dable link descri­ption
ip link set dev ${inte­rface name} alias "­${d­esc­rip­tio­n}"
ip link set dev eth0 alias "LAN interf­ace­"
Rename an interface
ip link set dev ${old interface name} name ${new interface name}
ip link set dev eth0 name lan
Note that you can't rename an active interface. You need to bring it down before doing it.
Change link layer address (usually MAC address)
ip link set dev ${inte­rface name} address ${address}
ip link set dev eth0 address 22:ce:­e0:­99:­63:6f
Change link MTU
ip link set dev ${inte­rface name} mtu ${MTU value}
ip link set dev tun0 mtu 1480
Delete a link
ip link delete dev ${inte­rface name}
Enable or disable multicast on an interface
ip link set ${inte­rface name} multicast on
ip link set ${inte­rface name} multicast off
Enable or disable ARP on an interface
ip link set ${inte­rface name} arp on
ip link set ${inte­rface name} arp off
Create a VLAN interface
ip link add name ${VLAN interface name} link ${parent interface name} type vlan id ${tag}
ip link add name eth0.110 link eth0 type vlan id 110
The only type of VLAN supported in Linux is IEEE 802.1q VLAN, legacy implem­ent­ations like ISL are not supported.
Create a QinQ interface (VLAN stacking)
ip link add name ${service interface} link ${physical interface} type vlan proto 802.1ad id ${service tag}
 
ip link add name ${client interface} link ${service interface} type vlan proto 802.1q id ${client tag}
 
ip link add name eth0.100 link eth0 type vlan proto 802.1ad id 100
 
Create service tag interface
 
ip link add name eth0.1­00.200 link eth0.100 type vlan proto 802.1q id 200
 
Create client tag interface
Create pseudo­-et­hernet (aka macvlan) interface
ip link add name ${macvlan interface name} link ${parent interface} type macvlan
ip link add name peth0 link eth0 type macvlan
Create a dummy interface
ip link add name ${dummy interface name} type dummy
ip link add name dummy0 type dummy
Create a bridge interface
ip link add name ${bridge name} type bridge
ip link add name br0 type bridge
Add an interface to bridge
ip link set dev ${inte­rface name} master ${bridge name}
ip link set dev eth0 master br0
Remove interface from bridge
ip link set dev ${inte­rface name} nomaster
ip link set dev eth0 nomaster
Create a bonding interface
ip link add name ${name} type bond
ip link add name bond1 type bond
This is not enough to configure bonding (link aggreg­ation) in any meaningful way. You need to set up bonding parameters according to your situation.
Create an interm­ediate functional block interface
ip link add ${inte­rface name} type ifb
ip link add ifb10 type ifb
Interm­ediate functional block devices are used for traffic redire­ction and mirroring in conjun­ction with tc.
Create a pair of virtual ethernet devices
ip link add name ${first device name} type veth peer name ${second device name}
ip link add name veth-host type veth peer name veth-guest
Virtual ethernet devices are created in UP state, no need to bring them up manually after creation.
Note that interface name you set with "name ${name­}" parameter of "ip link add" and "ip link set" commands may be arbitrary, and even contain unicode charac­ters. It's better however to stick with ASCII because other programs may not handle unicode correctly. Also it's better to use a consistent convention for link names, and use link aliases to provide human descri­ptions.

Link group management

Add an interface to a group
ip link set dev ${inte­rface name} group ${group number}
ip link set dev eth0 group 42
ip link set dev eth1 group 42
Remove an interface from a group
ip link set dev ${inte­rface name} group 0
ip link set dev ${inte­rface} group default
ip link set dev tun10 group 0
Assign a symbolic name to a group
echo "10 custom­er-­vla­ns" >> /etc/i­pro­ute­2/group
Once you configured a group name, number and name can be used interc­han­geably in ip commands.
ip link set dev eth0.100 group custom­er-­vlans
Perform an operation on a group
ip link set group ${group number} ${oper­ation and arguments}
ip link set group 42 down
ip link set group uplinks mtu 1200
View inform­ation about links from specific group
ip link list group 42
ip address show group customers
Link groups are similar to port ranges found in managed switches. You can add network interfaces to a numbered group and perform operations on all the interfaces from that group at once.

Links not assigned to any group belong to group 0 aka "­def­aul­t".

Tun and Tap devices

Add an tun/tap device useable by root
ip tuntap add dev ${inte­rface name} mode ${mode}
ip tuntap add dev tun0 mode tun
ip tuntap add dev tap9 mode tap
Tap sends and receives raw Ethernet frames.
 
Tun sends and receives raw IP packets.
Add an tun/tap device usable by an ordinary user
ip tuntap add dev ${inte­rface name} mode ${mode} user ${user} group ${group}
ip tuntap add dev tun1 mode tun user me group mygroup
ip tuntap add dev tun2 mode tun user 1000 group 1001
Add an tun/tap device using an alternate packet format
ip tuntap add dev ${inte­rface name} mode ${mode} pi
ip tuntap add dev tun1 mode tun pi
Add an tun/tap ignoring flow control
ip tuntap add dev ${inte­rface name} mode ${mode} one_queue
ip tuntap add dev tun1 mode tun one_queue
Delete tun/tap device
ip tuntap del dev ${inte­rface name}
ip tuntap del dev tun0 name}
Tun and tap devices allow userspace programs to emulate a network device. When the userspace program opens them they get a file descri­ptor. Packets routed by the kernel networking stack to the device are read from the file descri­ptor, data the userspace program writes to the file descriptor are injected as local outgoing packets into the networking stack.

Neighbor (ARP and NDP) tables management

View neighbor tables
ip neighbor show
View neighbors for single interface
ip neighbor show dev ${inte­rface name}
ip neighbor show dev eth0
Flush table for an interface
ip neighbor flush dev ${inte­rface name}
ip neighbor flush dev eth1
Add a neighbor table entry
ip neighbor add ${network address} lladdr ${link layer address} dev ${inte­rface name}
ip neighbor add 192.0.2.1 lladdr 22:ce:­e0:­99:­63:6f dev eth0
Delete a neighbor table entry
ip neighbor delete ${network address} lladdr ${link layer address} dev ${inte­rface name}
ip neighbor delete 192.0.2.1 lladdr 22:ce:­e0:­99:­63:6f dev eth0
For ladies and gentlemen who prefer UK spelling, this command family supports "­nei­ghb­our­" spelling too.

Tunnel management

Create an IPIP tunnel
ip tunnel add ${inte­rface name} mode ipip local ${local endpoint address} remote ${remote endpoint address}
Create a SIT tunnel
sudo ip tunnel add ${inte­rface name} mode sit local ${local endpoint address} remote ${remote endpoint address}
Create an IPIP6 tunnel
ip -6 tunnel add ${inte­rface name} mode ipip6 local ${local endpoint address} remote ${remote endpoint address}
Create an IP6IP6 tunnel
ip -6 tunnel add ${inte­rface name} mode ip6ip6 local ${local endpoint address} remote ${remote endpoint address}
Create a gretap (ethernet over GRE) device
ip link add ${inte­rface name} type gretap local ${local endpoint address} remote ${remote endpoint address}
Create a GRE tunnel
ip tunnel add ${inte­rface name} mode gre local ${local endpoint address} remote ${remote endpoint address}
Create multiple GRE tunnels to the same endpoint
ip tunnel add ${inte­rface name} mode gre local ${local endpoint address} remote ${remote endpoint address} key ${key value}
Create a point-­to-­mul­tipoint GRE tunnel
ip tunnel add ${inte­rface name} mode gre local ${local endpoint address} key ${key value}
Create a GRE tunnel over IPv6
ip -6 tunnel add name ${inte­rface name} mode ip6gre local ${local endpoint} remote ${remote endpoint}
Delete a tunnel
ip tunnel del ${inte­rface name}
ip tunnel del gre1
Modify a tunnel
ip tunnel change ${inte­rface name} ${options}
ip tunnel change tun0 remote 203.0.1­13.89
ip tunnel change tun10 key 23456
View tunnel inform­ation
ip tunnel show
ip tunnel show ${inte­rface name}
ip tun show tun99
Linux currently supports IPIP (IPv4 in IPv4), SIT (IPv6 in IPv4), IP6IP6 (IPv6 in IPv6), IPIP6 (IPv4 in IPv6), GRE (virtually anything in anything), and, in very recent versions, VTI (IPv4 in IPsec).

Note that tunnels are created in DOWN state, you need to bring them up.

In this section ${local endpoint address} and ${remote endpoint address} refer to addresses assigned to physical interfaces of endpoint. ${address} refers to the address assigned to tunnel interface.

L2TPv3 pseudowire management

Create an L2TPv3 tunnel over UDP
ip l2tp add tunnel tunnel_id ${local tunnel numeric identi­fier} peer_t­unn­el_id ${remote tunnel numeric identi­fier} udp_sport ${source port} udp_dport ${dest­ination port} encap udp local ${local endpoint address} remote ${remote endpoint address}
 
ip l2tp add tunnel tunnel_id 1 peer_t­unn­el_id 1 udp_sport 5000 udp_dport 5000 encap udp local 192.0.2.1 remote 203.0.1­13.2
Create an L2TPv3 tunnel over IP
ip l2tp add tunnel tunnel_id ${local tunnel numeric identi­fier} peer_t­unn­el_id {remote tunnel numeric identifier } encap ip local 192.0.2.1 remote 203.0.1­13.2
Create an L2TPv3 session
ip l2tp add session tunnel_id ${local tunnel identi­fier} session_id ${local session numeric identi­fier} peer_s­ess­ion_id ${remote session numeric identi­fier}
ip l2tp add session tunnel_id 1 session_id 10 peer_s­ess­ion_id 10
Delete an L2TPv3 session
ip l2tp del session tunnel_id ${tunnel identi­fier} session_id ${session identi­fier}
ip l2tp del session tunnel_id 1 session_id 1
Delete an L2TPv3 tunnel
ip l2tp del tunnel tunnel_id ${tunnel identi­fier}
ip l2tp del tunnel tunnel_id 1
View L2TPv3 tunnel inform­ation
ip l2tp show tunnel
ip l2tp show tunnel tunnel_id ${tunnel identi­fier}
ip l2tp show tunnel tunnel_id 12
View L2TPv3 session inform­ation
ip l2tp show session
ip l2tp show session session_id ${session identi­fier} tunnel_id ${tunnel identi­fier}
ip l2tp show session session_id 1 tunnel_id 12
Compared to other tunneling protocol implem­ent­ations in Linux, L2TPv3 termin­ology is somewhat reversed. You create a tunnel, and then bind sessions to it. You can bind multiple sessions with different identi­fiers to the same tunnel. Virtual network interfaces (by default named l2tpethX) are associated with sessions.

Policy­-based routing

Create a policy route
ip route add ${route options} table ${table id or name}
ip route add 192.0.2.0/27 via 203.0.1­13.1 table 10
ip route add 2001:d­b8::/48 dev eth1 table 100
View policy routes
ip route show table ${table id or name}
ip route show table 100
ip route show table test
General rule syntax
ip rule add ${options} <lookup ${table id or name}|­bla­ckh­ole­|pr­ohi­bit­|un­rea­cha­ble>
Create a rule to match a source network
ip rule add from ${source network} ${action}
ip rule add from 192.0.2.0/24 lookup 10
ip -6 rule add from 2001:d­b8::/32 prohibit
Create a rule to match a destin­ation network
ip rule add to ${dest­ination network} ${action}
ip rule add to 192.0.2.0/24 blackhole
ip -6 rule add to 2001:d­b8::/32 lookup 100
Create a rule to match a ToS field value
ip rule add tos ${ToS value} ${action}
ip rule add tos 0x10 lookup 110
Create a rule to match a firewall mark value
ip rule add fwmark ${mark} ${action}
ip rule add fwmark 0x11 lookup 100
Create a rule to match inbound interface
ip rule add iif ${inte­rface name} ${action}
ip rule add iif eth0 lookup 10
ip rule add iif lo lookup 20
Create a rule to match outbound interface
ip rule add oif ${inte­rface name} ${action}
ip rule add oif eth0 lookup 10
Set rule priority
ip rule add ${options} ${action} priority ${value}
ip rule add from 192.0.2.0/25 lookup 10 priority 10
ip rule add from 192.0.2.0/24 lookup 20 priority 20
Show all rules
ip rule show
ip -6 rule show
Delete a rule
ip rule del ${options} ${action}
ip rule del 192.0.2.0/24 lookup 10
Delete all rules
ip rule flush
ip -6 rule flush
Policy­-based routing (PBR) in Linux is designed the following way: first you create custom routing tables, then you create rules to tell the kernel it should use those tables instead of the default table for specific traffic.

Some tables are predef­ined: local (table 255), main (table 254), default (table 253).

netconf (sysctl config­uration viewing)

View sysctl config­uration for all interfaces
ip netconf show
View sysctl config­uration for specific interface
ip netconf show dev ${inte­rface}
ip netconf show dev eth0

Network namespace management

Create a namespace
ip netns add ${name­space name}
ip netns add foo
List existing namespaces
ip netns list
Delete a namespace
ip netns delete ${name­space name}
ip netns delete foo
Run a process inside a namespace
ip netns exec ${name­space name} ${command}
ip netns exec foo /bin/sh
List all processes assigned to a namespace
ip netns pids ${name­space name}
 
The output will be a list of PIDs.
Identify process' primary namespace
ip netns identify ${pid}
ip netns identify 9000
Assign network interface to a namespace
ip link set dev ${inte­rface name} netns ${name­space name}
ip link set dev ${inte­rface name} netns ${pid}
ip link set dev eth0.100 netns foo
Connect one namespace to another
Create a pair of veth devices:
ip link add name veth1 type veth peer name veth2
 
Move veth2 to namespace foo:
ip link set dev veth2 netns foo
 
Bring veth2 and add an address in "­foo­" namespace:
ip netns exec foo ip link set dev veth2 up
   
ip netns exec foo ip address add 10.1.1.1/24 dev veth2
 
Add an address to veth1, which stays in the default namespace:
ip address add 10.1.1.2/24 dev veth1
Monitor network namespace subsystem events
ip netns monitor
Network namespaces are isolated network stack instances within a single machine. They can be used for security domain separa­tion, managing traffic flows between virtual machines and so on.

Every namespace is a complete copy of the networking stack with its own interf­aces, addresses, routes etc. You can run processes inside a namespace and bridge namespaces to physical interf­aces.

VXLAN management

Create a VXLAN link
ip link add name ${inte­rface name} type vxlan id <0-­167­772­15> dev ${source interface} group ${mult­icast address
ip link add name vxlan0 type vxlan id 42 dev eth0 group 239.0.0.1
VXLAN is a layer 2 tunneling protocol that is commonly used in conjun­ction with virtua­liz­ation systems such as KVM to connect virtual machines running on different hypervisor nodes to each other and to outside world. The underlying encaps­ulation protocol for VXLAN is UDP.

Multicast management

View multicast groups
ip maddress show
ip maddress show ${inte­rface name}
ip maddress show dev lo
Add a link-layer multicast address
ip maddress add ${MAC address} dev ${inte­rface name}
ip maddress add 01:00:­5e:­00:­00:ab dev eth0
View multicast routes
ip mroute show
Multicast routes cannot be added manually, so this command can only show multicast routes installed by a routing daemon.
It supports the same modifiers to unicast route viewing commands (iif, table, from etc.).
Multicast is mostly handled by applic­ations and routing daemons, so there is not much you can and should do manually here. Multic­ast­-re­lated ip commands are mostly useful for debug.

Network event monitoring

Monitor all events
ip monitor
Monitor specific events
ip monitor ${event type}
Event type can be: link, address, route, mroute, neigh.
Read a log file produced by rtmon
ip monitor ${event type} file ${path to the log file}
 
iproute2 includes a program called "­rtm­on" that serves essent­ially the same purpose, but writes events to a binary log file instead of displaying them. "ip monito­r" command allows you to read files created by the progra­m".
 
rtmon [-family <in­et|­ine­t6>] [<r­out­e|l­ink­|ad­dre­ss|­all­>] file ${log file path}
 
rtmon syntax is similar to that of "ip monito­r", except event type is limited to link, address, route, and all; and address family is specified in "­-fa­mil­y" option.
You can monitor certain network events with iproute2, such as changes in network config­ura­tion, routing tables, and ARP/NDP tables.
                                                                   
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          TCP/IP Model Layers Cheat Sheet

          More Cheat Sheets by TME520

          Lantern Light for MSDOS keyboard mapping Cheat Sheet
          Top 30 linux shell tricks Cheat Sheet
          Anki Vector Cheat Sheet