Basic Linux network interface, listening port and local tunnel diagnostics

Network Diagnostics

Linux Network
Diagnostics & NAT

Basic Linux network interface, listening port and local tunnel diagnostics. Learn how to inspect routes, scan localhost, monitor sockets with modern tools, and set up simple NAT redirects.

Networking
Ports
iptables
nftables

Network Basics

Interfaces & Routing

To identify network interfaces and assigned IP addresses on Linux, use:

ip a

A cleaner and more readable version is:

ip -br addr

To show only one specific interface, for example eth0:

ip addr show dev eth0

To check the default route and see which interface is used for outgoing traffic:

ip route

You can also ask the system which interface would be used to reach a specific IP address:

ip route get 8.8.8.8

Scanning

Checking open ports on localhost

A simple way to check open TCP ports on the local machine is:

nmap localhost

For a more direct IPv4 localhost scan:

nmap 127.0.0.1

For service and version detection:

nmap -sV 127.0.0.1

For a full TCP port scan on localhost:

nmap -p- 127.0.0.1

Important: nmap shows open ports and detected services, but it does not show the local process PID. To see the PID and program name, use ss or lsof.

Socket Diagnostics

Modern replacement for netstat & lsof

Modern replacement for netstat

The older command:

netstat -ltnp

still works on systems where the net-tools package is installed, but on modern Linux systems the recommended replacement is ss.

Show listening TCP ports with PID and program name:

sudo ss -ltnp

Show listening TCP and UDP ports with PID and program name:

sudo ss -ltnup

Show all established TCP connections with PID and program name:

sudo ss -tnp state established

Show all listening sockets:

sudo ss -lpn

Show which process is using a specific port, for example port 8080:

sudo ss -ltnp ‘sport = :8080’

Alternative using lsof

Another useful tool is lsof.

Show all listening TCP ports:

sudo lsof -nP -iTCP -sTCP:LISTEN

Show which process is listening on port 8080:

sudo lsof -nP -iTCP:8080 -sTCP:LISTEN

Show all network connections owned by a specific process PID:

sudo lsof -nP -p PID -i

Tunnels

Checking localhost tunnels

Localhost tunnels are commonly created by SSH, VPN tools, development proxies or container systems. A typical SSH local tunnel can look like this:

ssh -N -L 127.0.0.1:8080:remote.example.com:80 user@gateway.example.com

This means that local port 127.0.0.1:8080 forwards traffic through SSH to remote.example.com:80.

To check whether the local tunnel port is listening:

sudo ss -ltnp ‘sport = :8080’

To inspect the SSH process that owns the tunnel:

ps -fp PID

To view the full command line of the process:

tr ‘\0’ ‘ ‘ < /proc/PID/cmdline

To see active SSH TCP connections:

sudo ss -tnp | grep ssh

Important: when you scan localhost, you only see the local tunnel endpoint. You do not directly see the final service on the remote side of the tunnel unless you inspect the tunnel command, SSH configuration or the remote host itself.

Legacy Firewall

Simple local NAT / redirect examples with iptables

Local Redirect (OUTPUT)

Example: redirect local TCP traffic originally going to 123.45.67.89:443 to a local service on 127.0.0.1:8443:

sudo iptables -t nat -A OUTPUT -p tcp -d 123.45.67.89 –dport 443 -j DNAT –to-destination 127.0.0.1:8443

For redirecting traffic to the local machine itself, REDIRECT is often cleaner:

sudo iptables -t nat -A OUTPUT -p tcp -d 123.45.67.89 –dport 443 -j REDIRECT –to-ports 8443

Explanation:

-t nat use the NAT table
-A OUTPUT apply to locally generated outgoing packets
-p tcp match TCP traffic
-d 123.45.67.89 match destination IP address
–dport 443 match destination port 443
-j DNAT change destination address
–to-destination new destination IP address and optional port
-j REDIRECT redirect traffic to the local machine
–to-ports 8443 new local destination port

Do not use a wide rule such as -p all unless you really know what you are doing. For port forwarding and local service redirection, it is safer to specify the protocol and destination port.

DNAT for incoming traffic

For incoming traffic from another machine, use the PREROUTING chain instead of OUTPUT.

Example: forward incoming TCP port 443 from a public interface to an internal server:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to-destination 192.168.1.10:443

For router-style forwarding, you usually also need IP forwarding enabled:

sudo sysctl -w net.ipv4.ip_forward=1

And you may need a matching FORWARD firewall rule and possibly MASQUERADE/SNAT depending on your network topology.

Modern Firewall

Modern nftables alternatives

Many modern Linux distributions use nftables or an iptables-nft backend. For new firewall configurations, nftables is often the preferred native solution.

Example: create a NAT table:

sudo nft add table ip nat

Create an output NAT chain:

sudo nft ‘add chain ip nat output { type nat hook output priority dstnat; }’

Redirect local outgoing TCP traffic for 123.45.67.89:443 to local port 8443:

sudo nft add rule ip nat output ip daddr 123.45.67.89 tcp dport 443 redirect to :8443

Create a prerouting NAT chain for incoming traffic:

sudo nft ‘add chain ip nat prerouting { type nat hook prerouting priority dstnat; }’

Forward incoming TCP port 443 to an internal server:

sudo nft add rule ip nat prerouting iif “eth0” tcp dport 443 dnat to 192.168.1.10:443

Conclusion

Quick summary

Use ip to identify network interfaces and routes.
Use nmap to scan open ports.
Use ss or lsof to find the PID and program using a port.
Use iptables for legacy NAT rules.
Use nftables for modern native Linux firewall and NAT configuration.

Linux NetworkDiagnostics & NAT