When a packet arrives at a Linux machine, the kernel decides what to do with it based on a set of firewall rules. Those rules live in the kernel’s Netfilter framework, and for more than two decades the standard way to edit them from user space has been the iptables command.

iptables controls packet filtering, network address translation, and packet mangling. Higher-level front ends such as ufw and firewalld manage the same Netfilter firewall stack through simpler interfaces, although many modern systems use nftables underneath. Understanding the underlying command is still valuable, especially when you inherit a server that was set up by someone else. This guide walks through the concepts and the commands you need to read, edit, and persist firewall rules.

Tables and Chains #

Before you write a rule, you need to know where it goes. iptables is organized into tables, and each table contains chains.

The three tables you will use most often are:

• filter - the default table, used for allowing and blocking traffic
• nat - used for network address translation, such as port forwarding and masquerading
• mangle - used to alter packet headers, for example to set QoS marks

Each table has a set of built-in chains that correspond to moments in the life of a packet. In the filter table:

• INPUT - packets destined for the local machine
• OUTPUT - packets originating from the local machine
• FORWARD - packets routed through the machine

A rule says: for packets that enter this chain and match these criteria, take this action. The action is called a target and is usually ACCEPT, DROP, REJECT, or the name of another chain.

iptables Syntax #

The general form of the command is:

iptables [-t TABLE] COMMAND CHAIN [MATCH] [-j TARGET]

If -t is omitted, iptables uses the filter table. Common commands include -A (append a rule), -I (insert), -D (delete), -L (list), -F (flush), and -P (set default policy).

All commands that change the firewall require root privileges. Run them with sudo or as root.

List Rules #

To print every rule in the filter table, use the -L option:

sudo iptables -L

The default output shows service names, resolves IP addresses, and hides packet and byte counters. For real work, add -n to keep numeric output and -v to show counters and interface information:

sudo iptables -L -n -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1234 98K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

To list a single chain, append its name:

sudo iptables -L INPUT -n -v

To number the rules so you can reference them by index when deleting, add --line-numbers:

sudo iptables -L INPUT -n -v --line-numbers

Add and Remove Rules #

New rules are added to the end of a chain with -A (append) or at a specific position with -I (insert). The difference matters because iptables evaluates rules top to bottom and stops at the first match.

To allow incoming SSH connections:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

To allow HTTP and HTTPS:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

To insert a rule as the first one in the chain, use -I CHAIN 1:

sudo iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT

This is important when you are working over SSH. If a broad DROP rule already appears earlier in the chain, appending the accept rule after it would not help because the packet would be dropped first.

To delete a rule, either repeat the exact specification with -D:

sudo iptables -D INPUT -p tcp --dport 23 -j DROP

Or delete by line number, which is easier when the rule has many options:

sudo iptables -D INPUT 3

Allow and Block Specific IPs #

To block all traffic from a single IP address:

sudo iptables -A INPUT -s 203.0.113.10 -j DROP

To block a range using CIDR notation:

sudo iptables -A INPUT -s 203.0.113.0/24 -j DROP

To allow SSH only from a trusted subnet:

sudo iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

The first rule accepts SSH from the local subnet. The second drops SSH from everywhere else. Order matters: if you reversed the two lines, every SSH attempt would be dropped before the accept rule had a chance to match.

Allow Established Connections #

Most firewall setups include a rule that accepts traffic belonging to an already established connection. This lets return traffic through without needing a matching rule for each outbound request:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Put this rule near the top of the INPUT chain so it matches early. Without it, the default DROP policy breaks outbound connections that expect responses.

Set a Default Policy #

Each built-in chain has a default policy that applies when no rule matches. The -P option changes it:

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

Switching INPUT to DROP is the foundation of a deny-by-default firewall: nothing gets in unless an explicit rule allows it. Before you flip the policy, make sure you have already added the rules that allow SSH, established connections, and anything else you need.

Flush Rules #

To remove every rule from every chain in the current table:

sudo iptables -F

To flush a specific chain only:

sudo iptables -F INPUT

Flushing does not reset the default policies. If you have set INPUT to DROP, flushing will leave it at DROP with no rules, which blocks all inbound traffic. Reset the policy to ACCEPT first if that is not what you want:

sudo iptables -P INPUT ACCEPT
sudo iptables -F

Save and Restore Rules #

Rules added with iptables live in kernel memory only. They disappear on reboot unless you save them.

On Ubuntu, Debian, and Derivatives, the iptables-persistent package saves rules to /etc/iptables/rules.v4 and reloads them at boot:

sudo apt install iptables-persistent

The installer asks whether to save the current rules. To update the saved copy later:

sudo netfilter-persistent save

On Fedora, RHEL, and Derivatives, the equivalent service is iptables-services:

sudo dnf install iptables-services
sudo systemctl enable --now iptables
sudo service iptables save

Independent of the distribution, you can dump and restore rules manually with iptables-save and iptables-restore:

sudo iptables-save -f /etc/iptables/rules.v4
sudo iptables-restore /etc/iptables/rules.v4

This is also the recommended way to edit a large ruleset: save to a file, edit the file, then restore it atomically.

Troubleshooting #

Rules disappear after a reboot
iptables rules are not persistent by default. Install iptables-persistent on Debian-based systems or iptables-services on RHEL-based ones, and save the ruleset.

SSH stops working after setting a DROP policy
You switched INPUT to DROP without an ACCEPT rule for port 22, or the ACCEPT rule is positioned after a more general DROP rule. Connect through the console, add the rule with -I INPUT 1, and save.

A rule looks correct but does not match
Check the order. iptables walks the chain top to bottom and stops at the first match, so an earlier accept or drop may be catching the packet first. Use iptables -L INPUT -n -v --line-numbers to inspect the order.

Changes are silently ignored
You may be editing the wrong table. A rule in filter does not affect NAT, and vice versa. Pass -t TABLE explicitly when you are not working in filter.

iptables: command not found
On some modern distributions, only nftables is installed by default. Install iptables with your package manager, or use nft directly.

Quick Reference #

For a printable quick reference, see the iptables cheatsheet .

FAQ #

Is iptables still relevant in 2026?
It is still installed and widely used, but it is being replaced by nftables, which offers a cleaner syntax and better performance. On recent distributions, the iptables command is often a compatibility front end that writes nftables rules underneath.

Should I use iptables, ufw, or firewalld?
If you are managing rules by hand on Debian or Ubuntu, ufw is simpler and covers most cases. On Fedora and RHEL, firewalld is the default. Reach for raw iptables when you need fine-grained control that the front ends do not expose, or when you are troubleshooting an existing ruleset.

What is the difference between DROP and REJECT?
DROP silently discards the packet; the sender sees a timeout. REJECT sends an ICMP error back (or a TCP reset for TCP), so the sender gets immediate feedback. DROP is often preferred on public interfaces because it does not confirm that the port exists.

How do I block a country or a list of IPs?
For a handful of addresses, add one -s rule per entry. For larger lists, use the ipset tool to manage the addresses and reference the set from a single iptables rule.

Does iptables handle IPv6?
No. Use ip6tables for IPv6 rules. It has the same syntax and the same tables and chains, but operates on a separate rule set.

Conclusion #

iptables is a low-level but reliable way to read and shape the Linux firewall. Once you have a working ruleset, save it with iptables-save and commit the file so the next person to touch the server has a clear starting point.

When a server feels slow or a connection is saturated, the first question is usually “what is using the bandwidth?” The answer depends on what you need to see: the total rate on an interface, the individual connections moving the most data, a graph across several interfaces, or how much you have transferred this month. No single tool does all of this well, so it helps to know which one fits each question.

This guide compares four command-line bandwidth monitors: nload, iftop, bmon, and vnstat. Each one is small, available in the default repositories, and built for a different angle on network usage.

nload: Per-Interface Throughput #

nload is the simplest of the four. It shows the incoming and outgoing rate on a single interface in real time, with a small ASCII graph and running statistics. It answers the question “how fast is this interface moving data right now?”

Install it on Ubuntu, Debian, and Derivatives:

sudo apt install nload

On Fedora, RHEL, and Derivatives, install it with dnf. On RHEL-compatible systems, enable EPEL first if the package is not available:

sudo dnf install nload

Run it with no arguments to monitor the default interface, or name an interface directly:

nload eth0

The display splits into incoming and outgoing sections, each showing the current rate along with the average, minimum, maximum, and total transferred:

Device eth0 [192.168.1.50] (1/1):
Incoming:
Curr: 4.21 MBit/s
Avg: 2.88 MBit/s
Max: 9.10 MBit/s
Ttl: 1.42 GByte
Outgoing:
Curr: 512.00 kBit/s
Avg: 320.10 kBit/s

When more than one interface is present, the left and right arrow keys cycle between them. Press q to quit. nload does not need root privileges, which makes it the quickest way to glance at raw throughput.

iftop: Bandwidth by Connection #

nload tells you how much traffic is flowing, but not where it is going. iftop fills that gap. It works like top for the network, listing active connections sorted by bandwidth so you can see which hosts and ports are responsible for the load.

Install it on Ubuntu, Debian, and Derivatives:

sudo apt install iftop

On Fedora, RHEL, and Derivatives, use dnf. On RHEL-compatible systems, enable EPEL first if the package is not available:

sudo dnf install iftop

iftop needs to capture packets, so it must run as root. Point it at an interface:

sudo iftop -i eth0

Each row shows a pair of hosts and the bandwidth between them, averaged over the last 2, 10, and 40 seconds:

 => 192.168.1.50 4.10Mb 3.85Mb 3.20Mb
192.0.2.14 <= 256Kb 210Kb 180Kb

By default iftop resolves IP addresses to hostnames and port numbers to service names, which can be slow and can clutter the view. Three flags make it more useful on a busy server: -n skips DNS hostname lookups, -N shows ports as numbers instead of service names, and -P displays the port column so you can tell which service is responsible:

sudo iftop -i eth0 -nNP

Press q to quit. When you need to find the connection saturating a link, iftop is the tool to reach for. To then identify the local process behind a port, pair it with the ss command .

bmon: Multiple Interfaces at a Glance #

bmon (bandwidth monitor) is the right choice when you want to watch several interfaces at once. It lists every interface with its current receive and transmit rates, and draws a live graph for the one you select, which is handy on routers, gateways, and virtualization hosts with many NICs and bridges.

Install it on Ubuntu, Debian, and Derivatives:

sudo apt install bmon

On Fedora, RHEL, and Derivatives, use dnf. On RHEL-compatible systems, enable EPEL first if the package is not available:

sudo dnf install bmon

Launch it with no arguments:

bmon

The top pane lists all interfaces with their RX and TX rates. Use the arrow keys to highlight an interface, and the lower pane updates its graph to match. Press d to toggle detailed counters such as errors and dropped packets, and q to quit. bmon reads kernel counters and does not require root for basic monitoring.

vnstat: Historical Usage Over Time #

The first three tools show what is happening now and forget it the moment you quit. vnstat is different: it runs as a background service, records traffic per interface into a database, and reports usage by hour, day, and month. It answers “how much data have I used this month?” rather than “what is the rate right now?”, which makes it the tool for usage caps and capacity planning.

Install it and enable the service on Ubuntu, Debian, and Derivatives:

sudo apt install vnstat
sudo systemctl enable --now vnstat

On Fedora, RHEL, and Derivatives, install the package first. On RHEL-compatible systems, enable EPEL first if the package is not available:

sudo dnf install vnstat
sudo systemctl enable --now vnstat

vnstat needs time to collect data, because it samples the interface counters periodically rather than capturing packets. After it has been running for a while, view a summary:

vnstat

 eth0 since 2026-01-01
rx: 42.18 GiB tx: 8.04 GiB total: 50.22 GiB
monthly
rx | tx | total
------------------------+-------------+------------
2026-01 42.18 GiB | 8.04 GiB | 50.22 GiB

Several flags change the reporting period: vnstat -h for hourly, vnstat -d for daily, and vnstat -m for monthly. For a live rate display similar to the other tools, use vnstat -l, which shows the current throughput until you press Ctrl+C. Because the daemon keeps logging, the history survives reboots.

Which Tool to Use #

The four tools overlap a little but each has a clear best use:

In practice, many administrators keep vnstat running for history and reach for iftop when they need to investigate a live spike.

Troubleshooting #

command not found after installing
Confirm the package installed with apt list --installed | grep <tool> or dnf list installed <tool>. On Ubuntu, the package may be in the universe repository; on RHEL-compatible systems, you may need to enable EPEL first.

iftop shows no traffic
iftop must run as root and be pointed at the active interface. List interfaces with ip link and pass the correct one with -i. Traffic on the loopback interface will not appear unless you select lo.

vnstat reports “Not enough data available yet”
The daemon has not collected a full sampling interval. Confirm the service is running with systemctl status vnstat and wait a few minutes for the first data points.

Rates look wrong on a virtual interface
Bridges, bonds, and VLAN interfaces report aggregate counters. Monitor the underlying physical interface as well to see where the traffic actually enters the host.

FAQ #

Which tool shows bandwidth per process?
None of these four map traffic to a process directly. iftop shows it per connection; to tie a connection to a process, use ss -tp or nethogs, which groups bandwidth by process.

Do these tools work over SSH?
Yes. All four are terminal applications and run fine in an SSH session, which is exactly how they are used on headless servers.

Does vnstat slow down the network?
No. vnstat reads interface counters periodically rather than inspecting packets, so its overhead is negligible even on busy links.

Can I monitor a specific interface only?
Yes. nload, iftop, and vnstat all accept an interface name (for example eth0), and bmon lets you select one from its list.

Conclusion #

Pick the tool that matches the question: nload for a fast look at throughput, iftop to find the connection eating the link, bmon for many interfaces, and vnstat for usage history. When you need to move from bandwidth numbers to sockets and interface details, pair them with the lower-level ss and ip commands.

By default, a bash script keeps running even after a command fails. A typo in a variable name expands to an empty string, a failed cd is ignored, and the script marches on as if nothing happened, often doing real damage by the time it stops. The set builtin changes that. With a few flags, you can make bash stop on the first error, treat unset variables as mistakes, and print each command as it runs.

This guide explains the set command and the three options you will use most: set -e, set -u, and set -x, plus pipefail and how to combine them into a strict mode.

What the set Command Does #

set is a shell builtin that turns shell options on or off and sets the positional parameters. For options, it takes this form:

set [options]

Each option has a short form and a long form. A leading dash turns an option on, and a leading plus turns it off, which is the reverse of what most people expect:

• set -e enables an option (here, exit on error).
• set +e disables it.
• set -o errexit is the long form of set -e.
• set +o errexit is the long form of set +e.

You place these near the top of a script so they apply to everything that follows, or around a specific block when you only want them in part of the script.

set -e: Exit on Error #

set -e (also written set -o errexit) tells bash to exit immediately if any command returns a non-zero status. It stops a script from continuing past a failure.

Consider a script that changes into a directory and then writes a log message:

#!/bin/bash
set -e

cd /var/cache/myapp
printf 'Cleaning application cache\n'

Without set -e, if the cd fails because the directory does not exist, the script would continue and run the next command in whatever directory it started in. With set -e, the failed cd stops the script before the log message or any later cache command runs.

There are important exceptions where set -e does not trigger an exit, and they trip people up. A command does not cause an exit when it is:

• part of an if, while, or until test,
• joined with && or ||,
• preceded by !.

This is by design, so that you can test a command’s exit status. If you need a specific command’s failure to be tolerated, append || true:

grep "pattern" file.txt || true

set -u: Treat Unset Variables as Errors #

set -u (or set -o nounset) makes bash exit when you reference a variable that has not been set. This catches one of the most common scripting bugs: a typo in a variable name that silently expands to nothing.

#!/bin/bash
set -u

target_dir="/srv/www"
printf 'Target cache directory: %s\n' "${tagret_dir}/cache"

The variable name is misspelled as tagret_dir. Without set -u, ${tagret_dir} expands to an empty string, and the command prints /cache instead of /srv/www/cache. With set -u, bash stops with an error instead:

deploy.sh: line 5: tagret_dir: unbound variable

When a variable is legitimately optional, provide a default with ${VAR:-default} so the reference is always defined:

echo "Deploying to ${ENVIRONMENT:-staging}"

set -x: Trace Each Command #

set -x (or set -o xtrace) prints every command to standard error before it runs, with the expanded values of any variables. It is the fastest way to see exactly what a script is doing without adding echo statements everywhere.

#!/bin/bash
set -x

name="Linuxize"
echo "Hello, $name"

Running the script shows each command, prefixed with a +, alongside its normal output:

+ name=Linuxize
+ echo 'Hello, Linuxize'
Hello, Linuxize

The trace shows the variable already expanded, so you see the real value bash used. The prefix comes from the PS4 variable. Set it to include the script name and line number, which is invaluable in longer scripts:

PS4='+ ${BASH_SOURCE}:${LINENO}: '

Because tracing is noisy, it is common to enable it only around the section you are debugging with set -x and then turn it off again with set +x.

set -o pipefail: Catch Failures in a Pipeline #

By default, a pipeline returns the exit status of its last command, so a failure earlier in the pipe is hidden. In the pipeline below, wc succeeds even though grep failed because the file does not exist:

grep "ERROR" missing.log | wc -l

Without pipefail, the pipeline exits with the status from wc, which is 0. set -o pipefail changes this so the pipeline returns the status of the rightmost command that failed, or 0 if every command succeeded. Combined with set -e, it makes a failed first stage actually stop the script.

Combine Them into a Strict Mode #

These options are most useful together. The common combination at the top of a careful script is:

#!/bin/bash
set -euo pipefail

This enables exit-on-error, unset-variable checking, and pipeline failure detection in one line. Add x as set -euxo pipefail while debugging, then remove it. This pattern is the foundation of what is often called “bash strict mode”, which our bash strict mode guide covers in more depth, including the trade-offs of set -e.

Enable and Disable Options for a Block #

You do not have to apply an option to the whole script. Turn one on for a block and off afterward. This is common with tracing:

set -x
deploy_application
sync_assets
set +x

Only the two commands between set -x and set +x are traced. The same pattern works with set -e when you have a section where you want to handle errors manually.

View the Current Options #

Running set -o with no flag prints every option and whether it is on or off. The full list has more than two dozen entries; the four options discussed here are:

set -o

errexit off
nounset off
pipefail off
xtrace off

This is a quick way to confirm which options an interactive shell or a sourced script has enabled.

Set Positional Parameters #

The set command has a second job unrelated to options: when given arguments after --, it replaces the positional parameters $1, $2, and so on. This is useful when you want to reset the arguments a script or function reads:

set -- one two three
echo "$2"

two

The -- marks the end of options so that arguments starting with a dash are not mistaken for flags.

Quick Reference #

For a printable quick reference, see the Bash cheatsheet .

FAQ #

What is the difference between set -e and set -o errexit?
They are the same thing. set -e is the short form and set -o errexit is the long, more readable form. Use whichever you prefer; long forms are common in shared scripts because they are self-documenting.

Why does my script still continue after a command fails with set -e?
The failed command is probably part of an if test, joined with && or ||, or preceded by !. In those positions bash deliberately ignores the failure so you can test exit status. A command substitution or a function call can also mask the failure.

What does the plus sign do, as in set +x?
A plus disables an option that a dash would enable. set -x turns tracing on and set +x turns it off, so you can scope an option to part of a script.

Should I always use set -euo pipefail?
It is a good default for new scripts and catches many bugs early, but set -e in particular has surprising edge cases. For complex scripts, understand how each option behaves and handle the exceptions explicitly rather than assuming the script is fully protected.

Conclusion #

The set builtin turns bash from a forgiving shell into a strict one: set -e stops on errors, set -u catches typos in variable names, and set -x shows you exactly what ran. Combine them as set -euo pipefail at the top of a script, scope tracing to the block you are debugging, and your scripts will fail loudly and early instead of quietly doing the wrong thing. For more on writing reliable scripts, see our guides on bash best practices and bash functions .

Searching through a large codebase or a directory full of log files with grep often means adding -r for recursion, -n for line numbers, and --include or --exclude rules to avoid unrelated files. In a Git repository, you may also need extra excludes for build directories, vendor files, and binary output.

ripgrep (rg) handles the common case with better defaults. It searches directories recursively, respects .gitignore, .ignore, and .rgignore rules, skips hidden and binary files during recursive searches, and shows friendly interactive output. It is also much faster than traditional recursive grep on many large file trees because it uses Rust’s regex engine and parallel directory traversal.

This guide explains how to use the ripgrep command in Linux, from basic searches to file type filters, context lines, replacement previews, and config defaults.

Installing ripgrep #

On Ubuntu, Debian, and Derivatives, install the ripgrep package with apt:

sudo apt install ripgrep

On Fedora, RHEL, and Derivatives, use dnf:

sudo dnf install ripgrep

On Arch Linux, install it from the official repositories:

sudo pacman -S ripgrep

Verify the installation with:

rg --version

The output shows the installed version:

ripgrep 15.1.0 (rev af60c2de9d)

Your distribution may ship a different version, but the examples in this guide use common options available in current ripgrep releases.

Syntax #

The basic syntax for the rg command is:

rg [OPTIONS] PATTERN [PATH ...]

The PATTERN argument is the text or regular expression to search for. If you omit PATH, rg searches recursively from the current directory.

For example, rg "error" searches the current directory tree, while rg "error" logs/ limits the search to the logs directory.

Basic Search #

Search for a pattern in all files under the current directory:

rg "error"

Example output:

logs/app.log:42:error: connection refused
logs/app.log:78:error: timeout after 30s
src/main.py:114:raise ValueError("error parsing config")

The output shows the filename, line number, and matching line. In an interactive terminal, rg also uses color by default, so you do not need the usual recursive grep flags for the common code-search workflow.

To search in a specific file, pass the filename after the pattern:

rg "error" logs/app.log

To search in a specific directory, pass the directory path:

rg "error" logs/

Filtering by File Type #

Use -t to restrict the search to a known file type:

rg -t py "import os"

This searches only Python files. ripgrep includes built-in definitions for many file types. To see the full list, run:

rg --type-list

To exclude a file type, use -T:

rg -T js "TODO"

You can also use glob patterns with -g to match or exclude specific filenames. Quote glob patterns so the shell does not expand them before rg receives them:

rg -g '*.log' "error"

Use a leading ! to exclude matching paths:

rg -g '!*.min.js' "console.log"

The ! prefix belongs to rg, so quoting is especially useful in shells where ! can trigger history expansion.

Case-Insensitive Search #

Add -i to ignore letter case:

rg -i "warning"

This matches warning, Warning, WARNING, and other case variants.

For a more flexible default, use -S or --smart-case:

rg -S "warning"

With smart case, an all-lowercase pattern is case-insensitive, but a pattern with any uppercase letter is case-sensitive. For example, rg -S "warning" matches Warning, while rg -S "Warning" searches for that exact capitalization.

Fixed String Search #

By default, rg treats the pattern as a regular expression. Use -F to search for a literal string instead, which is useful when the pattern contains regex characters:

rg -F "price[0]"

Without -F, [0] would be interpreted as a character class. With -F, rg searches for the literal text price[0].

Counting and Listing Matches #

To count matching lines per file instead of printing the matching lines, use -c:

rg -c "error"

Example output:

logs/app.log:14
logs/nginx/access.log:3

The count is the number of matching lines, not the total number of matching words or strings.

To print only filenames that contain at least one match, use -l:

rg -l "error"

To print only filenames that contain no matches, use --files-without-match:

rg --files-without-match "error"

This is different from combining -v with -l. The --files-without-match option checks whether a file has zero matching lines.

Context Lines #

When a matching line alone is not enough to understand the surrounding code, add context with -C:

rg -C 3 "panic"

This prints three lines before and three lines after each match.

Use -A for lines after the match only:

rg -A 2 "def connect"

Use -B for lines before the match only:

rg -B 2 "def connect"

Context output is useful when you want to inspect the code around a function, error message, or configuration value without opening each file.

Multiple Patterns #

Use -e to search for more than one pattern in a single pass:

rg -e "error" -e "warning"

This matches any line containing either word. It is equivalent to the regex error|warning, but repeated -e options are easier to read when patterns become longer.

The -e option is also useful when a pattern begins with a dash:

rg -e "--force"

Without -e, rg would try to interpret --force as an option.

Whole-Word Match #

The -w flag restricts matches to whole words. This is useful when you want to find a variable name without matching it inside a longer name:

rg -w "id"

This matches id, but not uid or invalid.

Invert Match #

The -v flag prints lines that do not match the pattern:

rg -v "^#" config.txt

This shows all lines in config.txt that do not begin with #.

If you want filenames that do not contain a pattern at all, use --files-without-match instead:

rg --files-without-match "version" -g '*.json'

Searching Hidden Files and Ignoring .gitignore #

By default, recursive rg searches skip hidden files and directories, and respect .gitignore, .ignore, and .rgignore files. This is usually what you want in a source tree.

To include hidden files and directories, use --hidden:

rg --hidden "api_key"

To ignore .gitignore, .ignore, and .rgignore rules, use --no-ignore:

rg --no-ignore "TODO"

The --no-ignore option does not include hidden files by itself. To search hidden files and ignored files in the same search, combine both options:

rg --hidden --no-ignore "password"

Replacing Output #

The -r option rewrites matching text in the output to show what a replacement would look like. It does not modify any files:

rg "foo" -r "bar"

Example output:

src/config.py:5:bar = get_setting("bar")

The output shows the line as it would look after replacing foo with bar. This is useful for previewing a project-wide rename before using sed or a text editor’s find-and-replace feature.

For capture groups in replacements, wrap the command in single quotes so the shell does not expand $1, $name, or similar replacement references before rg runs.

Showing Only the Match #

By default, rg prints the full line containing the match. Use -o to print only the matched text:

rg -o 'v[0-9]+\.[0-9]+\.[0-9]+'

Example output:

package.json:4:v1.4.2
package-lock.json:8:v1.4.2

This is useful when you want to extract values from files rather than inspect matching lines in context.

ripgrep Configuration File #

ripgrep can read default options from a configuration file, but it does not automatically look in ~/.config/ripgrep/ or any other fixed path. You must point RIPGREP_CONFIG_PATH to the file you want rg to read.

For example, create a config file named ~/.ripgreprc:

--smart-case
--hidden
--glob=!.git/

Then export the environment variable:

export RIPGREP_CONFIG_PATH="$HOME/.ripgreprc"

Add that export line to your shell startup file, such as ~/.bashrc or ~/.zshrc, if you want the setting to apply in new terminal sessions.

Each config file line is passed to rg as one command-line argument. For options with values, use either --option=value on one line or put the option and its value on separate lines.

Troubleshooting #

rg does not find a file you expected
The file may be hidden, ignored by .gitignore, ignored by .ignore or .rgignore, or detected as binary. Start with rg --debug "pattern" to see why paths were skipped, then add --hidden, --no-ignore, or both only when needed.

A glob pattern does not work as expected
Quote glob patterns, such as rg -g '*.conf' "server" and rg -g '!*.min.js' "console.log". Without quotes, your shell may expand * before rg sees the pattern.

A pattern starting with - is treated as an option
Use -e before the pattern, for example rg -e "--force". You can also use -- to stop option parsing, as in rg -- "--force".

Options Reference #

• -t TYPE - Search only files of the given type.
• -T TYPE - Exclude files of the given type.
• -g GLOB - Include or exclude files by glob. A ! prefix excludes paths.
• -i - Search case-insensitively.
• -F - Treat the pattern as a fixed string, not a regex.
• -c - Count matching lines per file.
• -l - List only filenames with matches.
• --files-without-match - List only filenames without matches.
• -C N - Show N lines of context around each match.
• -A N - Show N lines after each match.
• -B N - Show N lines before each match.
• -e PATTERN - Add a search pattern. Repeat it to search for multiple patterns.
• -w - Match whole words only.
• -v - Invert the match and print non-matching lines.
• -o - Print only the matched text, not the full line.
• -r REPLACEMENT - Show output with matches replaced. This is a preview only.
• -n - Show line numbers. This is enabled by default in interactive terminal output.
• --hidden - Search hidden files and directories.
• --no-ignore - Do not respect .gitignore, .ignore, and .rgignore rules.
• -S, --smart-case - Search case-insensitively when the pattern is lowercase, and case-sensitively when it contains uppercase.
• --stats - Print a summary of the search at the end.
• -M N - Omit lines longer than N bytes.

Quick Reference #

For a printable quick reference, see the ripgrep cheatsheet .

Conclusion #

ripgrep covers the same ground as grep , but its recursive search, file filtering, and ignore-file support make it a better default for many code and log searches. For path-based file finding, pair it with find , or use rg -l when you need a list of files that contain a specific pattern.

When you need to know who owns a domain, when it expires, which registrar handles it, or which organization holds a particular IP block, the whois command is the fastest route. It queries the registry databases that record this information and returns a plain-text response you can scan in a terminal. The output format varies by registry, but the questions you can answer are consistent: registrar, name servers, registration and expiry dates, and contact info (where privacy rules allow).

This guide explains how to use whois in Linux to look up domains, IP addresses, and AS numbers, how to target a specific server, and how to parse the output for the fields you actually care about.

whois Syntax #

The general form is:

whois [OPTIONS] OBJECT

OBJECT is the domain, IP address, or AS number you want information about. With no options, whois picks the right registry automatically based on the type of query.

Install whois #

whois is not always installed by default. On Ubuntu, Debian, and Derivatives:

sudo apt update
sudo apt install whois

On Fedora, RHEL, and Derivatives:

sudo dnf install whois

Confirm it is in place:

whois --version

Version 5.6.6.

The Debian-family whois is an actively maintained client with built-in routing logic that knows which registry to ask for each TLD.

Look Up a Domain #

The most common use is checking a domain:

whois example.com

 Domain Name: EXAMPLE.COM
Registry Domain ID: 2336799_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.iana.org
Registrar URL: http://res-dom.iana.org
Updated Date: 2026-01-16T18:26:50Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2026-08-13T04:00:00Z
Registrar: RESERVED-Internet Assigned Numbers Authority
Registrar IANA ID: 376
Name Server: ELLIOTT.NS.CLOUDFLARE.COM
Name Server: HERA.NS.CLOUDFLARE.COM
DNSSEC: signedDelegation
...

The fields that matter most for everyday questions are:

• Registrar, the company managing the registration.
• Creation Date and Registry Expiry Date, which tell you how old the domain is and when it needs renewing.
• Name Server, which lists the DNS servers authoritative for the domain.
• DNSSEC, which shows whether the domain is cryptographically signed.

For ccTLDs (.de, .uk, .jp), the format differs because each country runs its own registry. The information is similar; the field names and order change.

Look Up an IP Address #

whois on an IP returns the network allocation, not the domain:

whois 93.184.216.34

inetnum: 93.184.216.0 - 93.184.216.255
netname: EDGECAST-NETBLK-03
descr: NETBLK-03-EU-93-184-216-0-24
country: EU
admin-c: DS7892-RIPE
tech-c: DS7892-RIPE
status: ASSIGNED PA
...

This kind of query is the right tool for “who owns this IP that has been hitting my server” investigations. The output names the network block, maintainer, and abuse contact details when the registry publishes them.

Look Up an AS Number #

Pass an autonomous system number with the AS prefix:

whois AS15169

ASNumber: 15169
ASName: GOOGLE
ASHandle: AS15169
RegDate: 2000-03-30
Updated: 2012-02-24
Ref: https://rdap.arin.net/registry/autnum/15169

AS lookups are useful when you trace a route with mtr or traceroute and want to know which network each hop belongs to.

Pick a Specific WHOIS Server #

The default routing finds the right server for most TLDs, but you can force a query against a specific server with -h:

whois -h whois.arin.net 8.8.8.8

The flag is the right tool for two situations: when the default routing picks the wrong upstream (rare but happens for some legacy TLDs), and when you want to compare answers between regional registries (ARIN, RIPE, APNIC, AFRINIC, LACNIC).

Limit the Recursion #

Most modern whois clients follow a referral chain: query IANA, follow the pointer to the TLD registry, follow the pointer to the registrar, and return the most specific answer. To stop registry-to-registrar recursion, pass --no-recursion:

whois --no-recursion example.com

The flag is most useful when you specifically want the registry data and not the registrar’s slightly different format.

The -H option has a different purpose. It hides legal disclaimers from the output, which can make short lookups easier to read:

whois -H example.com

Filter the Output #

Real whois responses are dozens of lines long with legal disclaimers and template text. To extract one field, pipe through grep:

whois example.com | grep -E "Registrar:|Expiry Date:"

 Registry Expiry Date: 2026-08-13T04:00:00Z
Registrar: RESERVED-Internet Assigned Numbers Authority

For a name-server list:

whois example.com | awk '/Name Server:/ {print $NF}'

ELLIOTT.NS.CLOUDFLARE.COM
HERA.NS.CLOUDFLARE.COM

These short patterns work for monitoring scripts that watch for domain expirations or DNSSEC status changes.

Check Domain Availability #

If the domain is not registered, the response says so explicitly. The exact wording depends on the registry:

whois never-existed-domain-xyzzy.com

No match for domain "NEVER-EXISTED-DOMAIN-XYZZY.COM".

Some registries (notably .io, .co, and several ccTLDs) return an empty or near-empty response for unregistered domains. Two heuristics that work in scripts:

• For .com/.net/.org, grep for No match for or Domain Name: in the output.
• For ccTLDs, grep for Domain not found or check whether the registration fields exist.

Rate Limits and Etiquette #

Registries rate-limit whois queries. Hammering them with a script is the fastest way to get blocked. If you query many domains, add a sleep between calls and cache the result locally. For bulk lookups, use the registry’s RDAP service directly or pay for a commercial WHOIS API.

A simple polite pattern:

while IFS= read -r domain; do
 whois "$domain"
 sleep 2
done < domains.txt

Two seconds between queries is a sane starting point; raise it if you see throttling responses.

Privacy and Redacted Output #

Since GDPR took effect, most TLDs redact personal contact information for individual registrants. The response usually contains placeholders like REDACTED FOR PRIVACY or Data Protected, Not Disclosed. For organizations and legal entities, the contact information often stays visible.

This is not a defect in whois; the underlying registry data is simply less detailed than it used to be. For account-takeover prevention and abuse handling, focus on the registrar field and the abuse contact email, which remain published.

Quick Reference #

Troubleshooting #

whois: command not found
Install the package: sudo apt install whois on Ubuntu, Debian, and Derivatives, or sudo dnf install whois on Fedora, RHEL, and Derivatives. The package is small and adds no significant dependencies.

Output says “fgets: Connection reset by peer”
The registry rate-limited or blocked your IP. Wait a few minutes and retry, slow your script down, or query through a different network.

Response is in a different language or alphabet
Some ccTLD registries return data in the local language. Look for the English section (usually further down), or pipe through iconv if the encoding makes the response unreadable in your terminal.

FAQ #

What is the difference between WHOIS and RDAP?
RDAP (Registration Data Access Protocol) is the modern replacement for WHOIS. It returns structured JSON instead of free-text and supports authentication and access controls. Most registries now serve both, and RDAP is usually the better choice for scripts that need predictable fields.

Why does the data for the same domain look different between two whois runs?
Different clients and servers can follow the referral chain differently. One response may come from the registry, while another may include data from the registrar’s WHOIS server. Use --no-recursion when you want to stop at the registry answer.

Can I run my own WHOIS server?
Yes, but only registrars and registries have authoritative data. Self-hosted WHOIS servers are useful for internal directories (IP allocation in a large network), not for public domain lookups.

Conclusion #

whois is the answer to “who owns this”, whether the “this” is a domain, an IP, or an AS number. The output is plain text, the flags are short, and a handful of grep/awk patterns turn it into a script-friendly data source. For bulk work, slow the queries down and respect the rate limits the registries publish.

For related reading, see our guides on the dig command and the nslookup command .

Bash has been the default login shell on Ubuntu for years, and it works fine for running scripts and one-off commands. When we spend most of the day inside a terminal, though, small details start to matter: smarter tab completion, spell correction on commands, recursive globs, and rich theming. Zsh adds those features without breaking the Bash scripts we already rely on.

This guide explains how to install Zsh on Ubuntu, set it as the default shell, configure ~/.zshrc, and bolt on the Oh My Zsh framework for plugins and themes.

Quick Reference #

Prerequisites #

You need an Ubuntu system with a user account that has sudo privileges. The Zsh package comes from the default Ubuntu repositories, while the Oh My Zsh installer needs curl and git.

Install those helper packages if they are missing:

sudo apt update
sudo apt install curl git

Install Zsh #

Zsh is available in the default Ubuntu repositories. Refresh the package index and install it:

sudo apt update
sudo apt install zsh

Verify the installation by checking the Zsh version:

zsh --version

The output looks similar to:

zsh 5.9 (x86_64-ubuntu-linux-gnu)

Run Zsh for the First Time #

Start Zsh without changing your default shell yet:

zsh

The first launch opens the zsh-newuser-install configuration wizard. The relevant choices are:

• 0 exits the wizard and creates an empty ~/.zshrc so Zsh stops asking on every start.
• 1 continues to the interactive menu, where we can pick defaults for history, completion, key bindings, and a few other behaviors.
• 2 populates ~/.zshrc with the system-wide recommended defaults.
• q quits without creating a config file at all, which means the wizard runs again next time.

Pick option 0 or q if you plan to install Oh My Zsh next, since it ships its own template and will overwrite the file anyway. Otherwise, run the interactive setup to generate a sensible starting point.

Set Zsh as the Default Shell #

Once you are happy with the way Zsh behaves, change the default login shell for your user:

chsh -s $(which zsh)

Log out and log back in so the new shell takes effect. Confirm the change with:

echo $SHELL

The output should be /usr/bin/zsh or /bin/zsh, depending on your Ubuntu release and shell path layout.

If you prefer to keep Bash as the login shell and only run Zsh on demand, skip this step and start Zsh manually with zsh whenever you need it.

Edit ~/.zshrc #

The ~/.zshrc file runs every time an interactive Zsh session starts. Open it with your editor:

nano ~/.zshrc

A minimal useful starting point looks like this:

# History
HISTFILE=~/.zsh_history
HISTSIZE=10000
SAVEHIST=10000
setopt SHARE_HISTORY
setopt HIST_IGNORE_DUPS

# Completion
autoload -Uz compinit
compinit

# Aliases
alias ll='ls -lah'
alias gs='git status'

# Prompt
PROMPT='%n@%m %~ %# '

Reload the file in the current session without opening a new terminal:

source ~/.zshrc

For more on aliases, see how to create Bash aliases . The same syntax works in Zsh.

Install Oh My Zsh #

Oh My Zsh is a popular framework that ships a large catalog of plugins and themes. The official installer is the most common setup path:

To inspect the script before running it, use:

curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh -o install-oh-my-zsh.sh
less install-oh-my-zsh.sh
sh install-oh-my-zsh.sh

For a quick personal workstation setup, you can run the installer directly:

sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

The installer clones Oh My Zsh into ~/.oh-my-zsh, backs up the existing ~/.zshrc to ~/.zshrc.pre-oh-my-zsh, and writes a new ~/.zshrc with sensible defaults.

Pick a Theme #

Open ~/.zshrc and find the ZSH_THEME line. The default value is robbyrussell. Try a different theme by setting:

ZSH_THEME="agnoster"

The agnoster theme uses powerline-style segments and requires a Nerd Font for the special glyphs. If you want to sample themes without installing extra fonts first, use ZSH_THEME="random" to cycle themes on every login until you find one you like.

Reload the configuration to apply the new theme:

source ~/.zshrc

Enable Plugins #

Plugins extend Zsh with completion definitions, shortcuts, and visual aids. Edit the plugins=() line in ~/.zshrc and add the plugins you want:

plugins=(git docker kubectl sudo zsh-autosuggestions zsh-syntax-highlighting)

git, docker, kubectl, and sudo ship with Oh My Zsh. zsh-autosuggestions and zsh-syntax-highlighting are external plugins. Install them with:

git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions
git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting

Reload ~/.zshrc to activate them:

source ~/.zshrc

zsh-autosuggestions shows a faded completion based on your history as you type. Press the right arrow key to accept it. zsh-syntax-highlighting colors valid commands green and unknown commands red, which catches typos before you press Enter.

Useful Built-in Features #

Zsh ships several features that are not available in Bash without extra setup:

• Recursive glob patterns: ls **/*.log lists every .log file under the current directory.
• Globbing qualifiers: ls *(.) lists only regular files; ls *(/) lists only directories.
• Spell correction: setopt CORRECT prompts you to fix mistyped commands.
• Sharing history across sessions in real time with setopt SHARE_HISTORY.

Troubleshooting #

chsh reports “non-standard shell”
Make sure /usr/bin/zsh is listed in /etc/shells. If it is missing, add it with echo $(which zsh) | sudo tee -a /etc/shells and run chsh again.

Zsh starts but the prompt is broken on a remote SSH session
The theme probably depends on a Nerd Font that the local terminal does not have. Switch to a simpler theme such as robbyrussell or install a Nerd Font in the terminal application.

Plugins are listed but nothing happens
Check the ZSH_CUSTOM path matches where you cloned the plugin. Run ls ~/.oh-my-zsh/custom/plugins to confirm the plugin directory exists, then reload ~/.zshrc.

Conclusion #

From here we can keep tweaking ~/.zshrc to match the way we work: add aliases for repetitive commands, pin a theme that reads well in the terminal we use most, and pull in plugins as new tools enter the workflow. The alias syntax matches Bash, so existing alias workflows carry over without changes.

Bash treats everything as a string by default, which catches many people out the first time they write total=$count+1 and end up with the literal text 5+1 instead of 6. The shell has dedicated arithmetic forms that evaluate numeric expressions properly, but they only handle integers; for floating-point math you reach for bc or awk. Once you know which form to use where, the math is short and predictable.

This guide explains how Bash arithmetic works, the differences between (( )), $(( )), and let, and how to combine them with external tools when you need decimals.

Why Plain Assignment Does Not Add #

A first attempt at incrementing a variable usually looks like this:

count=5
total=$count+1
echo "$total"

5+1

The shell sees $count as the string 5, joins it with +1, and assigns the result. To force numeric evaluation, use one of the arithmetic forms below.

The (( )) Compound Command #

Wrap an expression in double parentheses to evaluate it as integer math:

count=5
(( count = count + 1 ))
echo "$count"

6

Inside (( )), variable names work without $, the C-style operators are available (+, -, *, /, %, **, ++, --, <<, >>, &, |, ^, &&, ||), and the exit status of the whole expression is non-zero when the result is 0, which means you can use arithmetic in if:

if (( count > 5 )); then
 echo "count is above 5"
fi

count is above 5

The shortcut increment and decrement operators read cleanly in loops:

for (( i = 0; i < 3; i++ )); do
 echo "i=$i"
done

i=0
i=1
i=2

(( )) is the right form when you assign back to a variable or use the result for control flow. It does not print anything to standard output.

The $(( )) Expansion #

When you want the value of an expression rather than the side effect, use the $(( )) arithmetic expansion. The result is substituted into the surrounding command like any other expansion:

count=5
echo "Next: $(( count + 1 ))"

Next: 6

$(( )) is the right form for inline math inside echo, assignments to other variables, command arguments, and printf:

files=42
echo "Average: $(( files / 7 )) per day"

Average: 6 per day

Notice that the division truncates: 42 / 7 happens to be exact, but 43 / 7 would yield 6, not 6.14. Bash arithmetic is integer-only; the decimal part is silently discarded.

The let Builtin #

let is the older builtin for arithmetic. It evaluates each argument as an expression:

let "count = 5 + 1"
echo "$count"

6

let is mostly historical at this point. (( )) does the same work without the quoting trap (let count=* would expand the * as a glob unless quoted) and reads more cleanly. New scripts should prefer (( )); let is worth recognizing in code you inherit.

Operators You Will Actually Use #

Bash supports a wide list of arithmetic operators. These are the ones that come up in everyday scripts:

• +, -, *, /, % - Standard arithmetic and remainder.
• ** - Exponentiation.
• ++, -- - Increment and decrement, prefix or postfix.
• +=, -=, *=, /=, %= - Compound assignment.
• ==, !=, <, <=, >, >= - Numeric comparison (inside (( ))).
• &&, ||, ! - Logical AND, OR, NOT.
• <<, >>, &, |, ^, ~ - Bitwise shifts and operations.

A small example that uses several:

size=1024
if (( size > 0 && size % 2 == 0 )); then
 echo "Power of two? $(( (size & (size - 1)) == 0 ? 1 : 0 ))"
fi

Power of two? 1

The ternary operator (? :) works inside arithmetic contexts, which keeps short branches readable without nesting if.

Number Bases #

Bash arithmetic supports several integer bases. Prefix a number to declare its base:

• 0xNN for hexadecimal.
• 0NN for octal.
• BASE#NNN for any base from 2 to 64.

Examples:

echo "$(( 0xff ))"
echo "$(( 0755 ))"
echo "$(( 2#1010 ))"

255
493
10

Watch out for leading zeros: 08 is interpreted as octal and rejected because 8 is not a valid octal digit. If user input may include leading zeros (HTTP status codes parsed from a string, timestamps), strip them before arithmetic with ${var#0} or use the explicit 10# base prefix:

value="08"
echo "$(( 10#$value ))"

8

Floating-Point Math with bc #

Bash itself cannot do decimal math, but it is happy to call out to a tool that can. bc is the arbitrary-precision calculator that ships with most distributions:

echo "scale=2; 43 / 7" | bc

6.14

The scale=2 directive sets two decimal places of precision. Without it, bc truncates the division the same way Bash does. Use a higher scale for currency or scientific work:

echo "scale=10; 4*a(1)" | bc -l

3.1415926532

The -l flag loads the math library, which gives you s (sine), c (cosine), a (arctangent), l (natural log), e (exponential), and sqrt. The expression above computes pi from 4 * arctan(1).

To capture the result into a variable:

pi=$(echo "scale=4; 4*a(1)" | bc -l)
echo "pi = $pi"

pi = 3.1415

bc is the right tool when you need genuine decimals and do not want a heavyweight dependency. For one-off interactive calculations, run bc -l and type expressions at its prompt.

Floating-Point Math with awk #

awk is the other obvious choice and is often faster because it does not start a separate calculator process. Use awk for inline expressions inside scripts:

rate=$(awk 'BEGIN { printf "%.2f\n", 43 / 7 }')
echo "rate = $rate"

rate = 6.14

printf inside awk works the same way as the C function, with %.2f controlling the number of decimal places. For a percentage:

pct=$(awk -v a=23 -v b=89 'BEGIN { printf "%.1f%%\n", (a / b) * 100 }')
echo "pct = $pct"

pct = 25.8%

Pass values into awk with -v name=value rather than building the expression by string concatenation; the -v form avoids quoting headaches and shell-injection issues when the inputs come from user data.

Increment Counters in a Loop #

Counter loops are the bread and butter of arithmetic in scripts, and they lean on the increment and decrement operators . Two equivalent forms work; pick the one that reads best:

count=0
while IFS= read -r line; do
 (( count++ ))
done < input.txt
echo "Lines: $count"

count=0
while IFS= read -r line; do
 count=$(( count + 1 ))
done < input.txt
echo "Lines: $count"

The (( count++ )) form is shorter and is what most authors prefer. Both produce the same result and run at the same speed.

If the script uses set -e, avoid (( count++ )) when count may start at zero. The arithmetic command returns a failure status when the expression evaluates to 0, so the first increment can stop the script. Use pre-increment or assignment instead:

(( ++count ))
(( count += 1 ))

Troubleshooting #

syntax error in expression
A variable that should hold a number contains non-numeric characters (often a leading or trailing space from read, or a stray letter). Inside (( )) and $(( )), Bash reports a syntax error on the offending token. Trim the input with ${var//[[:space:]]/} or validate it before the arithmetic line.

division by 0
A divisor evaluated to zero, often because the variable was empty and Bash treated it as 0. Quote the expansion in your check (if [ -n "$divisor" ]) before the divide, and either skip the operation or substitute a default with ${divisor:-1}.

Result is 0 when it should be a fraction
Bash arithmetic is integer-only. Switch to bc with an explicit scale= or to awk with %.Nf formatting for decimal output.

FAQ #

When should I use (( )) versus $(( ))?
Use (( )) for assignments and control flow (if, while, for). Use $(( )) when you want the value substituted into a surrounding command. They share the same expression syntax.

Can I do floating-point math without an external tool?
Not in Bash. ksh93 and zsh support floating-point in their arithmetic contexts; Bash does not. For Bash, route decimals through bc or awk.

Is there a performance difference between bc and awk?
awk is usually faster because it runs entirely inside a single process and does not communicate over a pipe. For one-off calculations the difference is negligible; in a tight loop, prefer awk or precompute the values with a single awk call instead of running bc per iteration.

Conclusion #

Reach for (( )) and $(( )) whenever a script needs counters, conditions, or quick integer math, and switch to bc or awk the moment decimals enter the picture. Pair that habit with Bash strict mode and the patterns in our Bash best practices guide so numeric code keeps working even when the inputs do not.

Once you move past single-container tests, the next problem is communication. A web application needs to reach its database, a reverse proxy needs to forward traffic to an app server, and none of those internal services should be exposed to the public internet by accident.

Docker networking handles that traffic. The defaults work for quick tests, but production-like setups are easier to manage when you understand networks, drivers, DNS names, and published ports. This guide explains how Docker networking works and walks through practical examples for connecting and isolating containers.

How Docker Networking Works #

When the Docker daemon starts, it creates three networks automatically: bridge, host, and none. You can see them with docker network ls:

docker network ls

NETWORK ID NAME DRIVER SCOPE
b84a2c1f9d8e bridge bridge local
c1f3a7b2d4e5 host host local
e7d6a8c2b1f4 none null local

Each network uses a driver that decides how containers on that network communicate:

• bridge - Creates an isolated virtual network on one Docker host.
• host - Removes network namespace isolation and uses the host network directly.
• none - Starts the container with only a loopback interface.

The bridge driver is the default and works for most single-host applications. For anything beyond a quick test, create a user-defined bridge network instead of relying on the default bridge network. User-defined networks give containers automatic DNS resolution by name and keep unrelated services separated.

The Default Bridge Network #

When you start a container without specifying a network, Docker attaches it to the default bridge network. Containers on this network can reach each other by IP address, but not by container name, which makes configuration brittle.

Start two containers on the default network:

docker run -d --name default_web1 nginx
docker run -d --name default_web2 nginx

Inspect the default bridge to see both containers and their IP addresses:

docker network inspect bridge

The output includes a Containers section listing each container with its assigned IP address. Containers on the default bridge can communicate with those addresses, but a name such as default_web2 does not resolve automatically from default_web1. That is the main reason to avoid the default bridge for application stacks.

Creating a User-Defined Bridge Network #

User-defined bridge networks solve the name resolution problem and let you group related containers together. Create one with docker network create:

docker network create app_net

a1b2c3d4e5f67890123456789abcdef0

Now run containers on that network by passing --network:

docker run -d --name net_web --network app_net nginx
docker run -d --name net_client --network app_net alpine sleep 3600

From inside net_client, you can reach net_web by container name:

docker exec -it net_client ping -c 2 net_web

PING net_web (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.098 ms
64 bytes from 172.18.0.2: seq=1 ttl=64 time=0.074 ms

The embedded Docker DNS server resolves the container name to the correct IP address. If you add or remove containers, the DNS records update automatically, so you do not have to track container IP addresses yourself.

Publishing Ports to the Host #

Containers on a bridge network are reachable from other containers on the same network, but not from outside the Docker host unless you publish a port. Use -p host_port:container_port with docker run:

docker run -d --name port_web -p 8080:80 nginx

Nginx listens on port 80 inside the container, and Docker forwards traffic from port 8080 on the host to it. A browser pointed at http://localhost:8080 reaches the container.

You can publish multiple ports by repeating the flag:

docker run -d --name port_app -p 8081:80 -p 8443:443 nginx

By default, Docker publishes the port on all host interfaces. To bind only to a specific host interface, prefix the host port with the address:

docker run -d --name loopback_web -p 127.0.0.1:8082:80 nginx

This binds the port to the loopback interface only. The container is reachable from the host itself, but not from other machines on the network.

Connecting a Running Container to a Network #

A container is not locked to the network it was started on. You can attach a running container to an additional network with docker network connect:

docker network connect app_net default_web1

After connecting, default_web1 has an IP address on both its original network and app_net. Containers on either network can reach it through the network they share. This is useful when a service needs to talk to more than one group of containers, for example a shared logger or monitoring agent.

To remove a container from a network, use docker network disconnect:

docker network disconnect app_net default_web1

Isolating Containers with Separate Networks #

Multiple user-defined networks act as separate network segments. Containers on different networks cannot reach each other unless one of them is explicitly connected to both. This makes it simple to isolate a frontend tier from a database tier.

Create two networks:

docker network create frontend_net
docker network create backend_net

Start a database on backend_net, an application container on both networks, and a web server on frontend_net:

docker run -d --name db_net --network backend_net -e POSTGRES_PASSWORD=localpass postgres:16-alpine
docker run -d --name app_net_demo --network backend_net alpine sleep 3600
docker network connect frontend_net app_net_demo
docker run -d --name web_net --network frontend_net -p 8083:80 nginx

The web_net container can reach app_net_demo over frontend_net, and app_net_demo can reach db_net over backend_net. The web_net container cannot reach db_net directly because they do not share a network. If the web container is compromised, it cannot open a connection to the database without going through the application layer.

The host Network Driver #

The host driver skips network namespace isolation and attaches the container directly to the host network. The container shares the host network interfaces, so any port it listens on is immediately available on the host:

docker run --rm -d --name host_nginx --network host nginx

Nginx is now reachable on port 80 of the host with no port publishing. In host mode, -p, --publish, and --publish-all are ignored because there is no separate container network namespace to map from.

Use host networking only when you specifically need it, such as for very high port counts or when the application must bind directly to host interfaces. The trade-off is weaker network isolation and possible port conflicts with services already running on the host.

Host networking is native to Docker Engine on Linux. Docker Desktop supports host networking in version 4.34 and later, but it must be enabled in Docker Desktop settings.

The none Network Driver #

The none driver disables external networking for the container. The container gets a loopback interface and nothing else:

docker run --rm --network none alpine ip addr

This is useful for batch jobs that process local files and should not reach the network.

Inspecting Networks #

docker network inspect prints the full configuration of a network in JSON:

docker network inspect app_net

The output includes the subnet, gateway, driver options, and a list of every container attached to the network with its IPv4 and IPv6 addresses. When a container cannot reach another container, this is usually the first place to look.

For a quick overview across all bridge networks, use a filter:

docker network ls --filter driver=bridge

You can also inspect a container to see its network attachments:

docker inspect net_web

Look for the NetworkSettings.Networks section in the output.

Removing Networks #

Unused networks remain on the host until you remove them. Delete a single network with docker network rm:

docker network create temp_net
docker network rm temp_net

The removal command fails if any containers are still attached. Stop or disconnect those containers first, then retry.

To clean up every user-defined network that is not in use, run:

docker network prune

Docker asks for confirmation and then removes idle user-defined networks. The built-in bridge, host, and none networks are not removed.

Docker Compose Networking #

When you run applications with Docker Compose , Compose creates a dedicated default network for each project and attaches every service to it. Services reach each other by service name without extra configuration:

services:
 web:
 image: nginx
 ports:
 - "8080:80"

 db:
 image: postgres:16-alpine
 environment:
 POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}

Define the password in a local .env file:

POSTGRES_PASSWORD=change-this-password

From the web service, db resolves to the database container IP address. You can also declare multiple named networks under a top-level networks key and attach services selectively, which mirrors the frontend and backend split shown earlier.

Quick Reference #

For a printable quick reference, see the Docker cheatsheet .

Troubleshooting #

Containers cannot reach each other by name
Name-based DNS works on user-defined networks. If you started the containers on the default bridge network, recreate them on a user-defined network, or attach them with docker network connect.

Port is already allocated when publishing
Another process on the host is already using that port. Pick a different host port, or find and stop the conflicting process with lsof -i :PORT .

Cannot remove a network
The network still has containers attached. List them with docker network inspect NAME, disconnect or stop them, and try again.

Service is unreachable from the host after publishing a port
Check that the service inside the container is listening on 0.0.0.0, not only on 127.0.0.1. A service bound to the container loopback interface is not reachable through the published port.

The -p option does not work with host networking
Published ports are ignored when a container uses --network host. The container is already using the host network directly, so it must listen on the desired host port itself.

FAQ #

What is the difference between a bridge and a host network?
A bridge network creates an isolated virtual network for containers and requires port publishing to expose services on the host. A host network attaches the container directly to the host network, with no separate container network namespace and no port publishing.

Do containers on the same user-defined bridge network need published ports to talk to each other?
No. Port publishing controls access from the host or external network. Containers on the same user-defined network reach each other directly on the container port.

Can two containers share the same name on different networks?
No. Container names are unique per Docker daemon, regardless of how many networks they are attached to. Network-scoped aliases, set with --network-alias, can overlap across networks.

Why does ping not work from some containers?
Some minimal images do not include ping. Alpine includes it by default, which makes it useful for quick network tests. Other images may require installing the relevant package, or you can use a temporary troubleshooting image.

Conclusion #

Docker networking becomes easier to manage when each application gets its own user-defined network and only public-facing services publish ports. For more Docker basics, see the docker run and docker exec guides.

Nginx is a fast, lightweight web server that serves static content, terminates TLS, and proxies requests to application servers behind it. Debian 13 Trixie ships Nginx in its main apt repository, which makes the install a single command on a fresh system.

This guide explains how to install Nginx on Debian 13, open the firewall, manage the service with systemd, and create a basic server block for your first site.

Prerequisites #

You will need a Debian 13 server with a sudo user. UFW should be installed and active so the install is firewalled by default.

Quick Reference #

Step 1: Update the Package Index #

Refresh apt so it sees the latest package metadata before the install:

sudo apt update

The output lists the repositories that were checked. A clean run finishes without errors.

Step 2: Install Nginx #

Install the nginx package:

sudo apt install nginx

The default install pulls in the nginx-common package, the systemd unit, and the standard set of modules. apt also creates the www-data user that owns the document root and runs the worker processes.

Confirm the version:

nginx -v

nginx version: nginx/1.26.3

The exact version may differ as Debian publishes point updates, but 1.26.x is the version that ships with Debian 13 Trixie.

Step 3: Allow HTTP and HTTPS in UFW #

The Nginx package registers application profiles with UFW. Allow both HTTP and HTTPS in one rule:

sudo ufw allow 'Nginx Full'

Verify the rule is in place:

sudo ufw status

Status: active
To Action From
-- ------ ----
Nginx Full ALLOW Anywhere
OpenSSH ALLOW Anywhere

If you only need HTTP for now, replace the rule with Nginx HTTP. Switch to Nginx Full later when you add TLS.

Step 4: Manage the Nginx Service with systemd #

The Nginx package starts the service at install time and enables it for boot. Confirm both:

systemctl is-active nginx
systemctl is-enabled nginx

active
enabled

If the service is not running, start it:

sudo systemctl start nginx

The most common service operations are restart, reload, and status:

sudo systemctl restart nginx
sudo systemctl reload nginx
systemctl status nginx

reload re-reads the configuration without dropping connections and is the right command after editing a server block. restart stops and starts the service, which is only needed when the binary itself changes.

Step 5: Verify the Default Page #

Open a browser and visit the server’s IP, or use curl:

curl -I http://localhost

HTTP/1.1 200 OK
Server: nginx/1.26.3
Content-Type: text/html

A 200 OK response confirms Nginx is serving the default page. The default document root is /var/www/html/ and contains an index.nginx-debian.html welcome page.

Step 6: Create Your First Server Block #

Server blocks are how Nginx serves multiple sites from a single host. Create the document root for the new site:

sudo mkdir -p /var/www/example.com/html
sudo chown -R $USER:$USER /var/www/example.com/html
echo '<h1>Hello from example.com</h1>' | sudo tee /var/www/example.com/html/index.html

Create a server block file:

sudo nano /etc/nginx/sites-available/example.com

Paste the following configuration and adjust the domain name:

server {
 listen 80;
 listen [::]:80;

 server_name example.com www.example.com;

 root /var/www/example.com/html;
 index index.html;

 location / {
 try_files $uri $uri/ =404;
 }
}

Enable the site by creating a symlink in sites-enabled:

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Test the configuration before reloading:

sudo nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Reload Nginx so the new server block takes effect:

sudo systemctl reload nginx

Visit the domain to verify the site loads. If the domain does not yet point at the server, edit /etc/hosts on a workstation or use curl --resolve example.com:80:SERVER_IP http://example.com/ to test.

Important Nginx Files and Directories #

The default Debian layout splits configuration across several locations:

• /etc/nginx/nginx.conf is the main configuration file.
• /etc/nginx/sites-available/ holds the server block templates.
• /etc/nginx/sites-enabled/ holds symlinks to the active server blocks.
• /etc/nginx/snippets/ is for shared configuration snippets such as TLS hardening.
• /var/log/nginx/access.log and /var/log/nginx/error.log are the log files.
• /var/www/html/ is the default document root.

Troubleshooting #

Default page does not load
Check that the service is running with systemctl status nginx. If it is not, run sudo nginx -t to spot configuration errors. UFW may also block port 80; confirm with sudo ufw status.

bind() to 0.0.0.0:80 failed (98: Address already in use)
Another web server is bound to port 80. Apache is the usual culprit on Debian. Stop it with sudo systemctl stop apache2 and disable it on boot with sudo systemctl disable apache2.

Server block returns 404
The symlink in sites-enabled is missing or points to the wrong file. List it with ls -l /etc/nginx/sites-enabled/. Recreate the symlink and reload Nginx.

nginx -t reports duplicate default_server
Two server blocks set listen 80 default_server. Only one can be the default. Remove the keyword from the new server block and reload.

Conclusion #

Nginx on Debian 13 is one apt command away. Stick with the Debian package for general-purpose use, and switch to the upstream nginx.org repository when you need a feature only the latest mainline release supports.

Podman is a daemonless container engine that runs OCI containers without a long-lived root process. Each container is started as a regular user-owned process, which removes the privileged daemon that Docker relies on and makes containers safer to run on shared servers. The command-line surface mirrors Docker almost exactly, so most Dockerfiles, image references, and docker run patterns work with little to no change.

This guide explains how to install Podman on Ubuntu, configure rootless mode, run your first container, and use Podman as a drop-in replacement for the Docker CLI.

Quick Reference #

Install Podman #

Podman has been part of the Ubuntu universe repository since 20.10, so on every supported release you can install it through apt without adding a third-party PPA.

Update the package index, then install:

sudo apt update
sudo apt install podman

Confirm the version:

podman --version

podman version 5.7.0

Ubuntu 26.04 ships Podman 5.7 from the universe repository. Ubuntu 24.04 ships the 4.9 series, while Ubuntu 22.04 ships the 3.4 series, so the exact version depends on the Ubuntu release you are using.

Verify the Rootless Setup #

Podman supports both root and rootless modes, and the rootless mode is the one most users want. Run podman info as your regular user and look for rootless: true:

podman info | head -20

host:
arch: amd64
cgroupManager: systemd
...
security:
rootless: true

Two pieces have to be in place for rootless containers to work: subordinate UID/GID mappings, and a user namespace. Ubuntu sets both up automatically on first run, but you can confirm with:

cat /etc/subuid /etc/subgid

sara:100000:65536
sara:100000:65536

Each user gets a range of 65,536 subordinate UIDs and GIDs that Podman uses to map container processes to non-overlapping host IDs. If the file is missing your user, add an entry with sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 sara and run podman system migrate to apply the change.

Run Your First Container #

Pull and run an Nginx container in detached mode, exposing port 8080 on the host:

podman run -d --name web -p 8080:80 nginx

Resolved "nginx" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob sha256:...
Writing manifest to image destination
Storing signatures
2b9bd4e1f3...

Check that the container is running:

podman ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2b9bd4e1f3a8 docker.io/library/nginx:latest nginx -g daemon o... 10 seconds ago Up 10 seconds 0.0.0.0:8080->80/tcp web

Hit the published port from the host:

curl -I http://localhost:8080

HTTP/1.1 200 OK
Server: nginx/1.27.4

The response confirms that the user-mode network stack forwarded the request into the container correctly. Stop and remove the container with:

podman rm -f web

Configure Registries #

By default Podman searches a configured list of registries when you run podman pull nginx (without a registry prefix). The list lives in /etc/containers/registries.conf. To prefer Docker Hub, edit the file:

sudo nano /etc/containers/registries.conf

Set the unqualified-search registries:

unqualified-search-registries = ["docker.io", "quay.io"]

Save and exit. From now on podman pull alpine resolves to docker.io/library/alpine:latest, which matches Docker’s default behavior. Save yourself confusion by always pulling with the full reference (podman pull docker.io/library/alpine) in scripts and CI pipelines.

Use Podman as a Docker Replacement #

If you already have shell history, Makefiles, or scripts that call docker, install the alias package and keep them working:

sudo apt install podman-docker

The package adds a /usr/bin/docker symlink that points to podman, plus a stub that suppresses the daemon-not-running warning. Test it:

docker run --rm hello-world

Hello from Docker!

Behind the scenes, docker run invoked podman run. Most everyday commands (build, pull, push, images, ps, logs, exec) work identically. The differences show up around Docker Compose and the daemon socket; Podman 4 ships its own socket that Docker Compose can target by setting DOCKER_HOST.

Build an Image with a Dockerfile #

Podman builds OCI images from a standard Dockerfile, no changes required. Create a small Flask app to demonstrate:

mkdir hello-podman && cd hello-podman
nano app.py

from flask import Flask

app = Flask(__name__)


@app.route("/")
def index():
 return "Hello from Podman!"


if __name__ == "__main__":
 app.run(host="0.0.0.0", port=5000)

Write the Dockerfile:

FROM python:3.12-slim
WORKDIR /app
RUN pip install --no-cache-dir flask
COPY app.py .
EXPOSE 5000
CMD ["python", "app.py"]

Build the image:

podman build -t hello-podman .

STEP 1/6: FROM python:3.12-slim
STEP 2/6: WORKDIR /app
...
Successfully tagged localhost/hello-podman:latest

Run a container from the new image:

podman run -d --name hello -p 5000:5000 hello-podman
curl http://localhost:5000

Hello from Podman!

The image and container both live in the user’s storage (~/.local/share/containers), so no sudo is involved at any step.

Run Pods of Containers #

The name “Podman” comes from its support for Kubernetes-style pods: groups of containers that share a network namespace. Create an empty pod, then add containers to it:

podman pod create --name webapp -p 8080:80
podman run -d --pod webapp --name redis redis:7
podman run -d --pod webapp --name nginx nginx

Inside the pod, nginx can reach Redis at localhost:6379 because they share the network namespace. List pods with:

podman pod ps

POD ID NAME STATUS CREATED INFRA ID # OF CONTAINERS
8f4d7b8c0e1f webapp Running 20 seconds ago c2a8f9b1d3e4 3

The count of three includes an infra container that holds the shared namespaces.

Run Podman as a systemd Service #

To start a container at boot in rootless mode, use a Quadlet container unit. Quadlet is Podman’s current systemd integration method and keeps the container definition in a small, readable file.

mkdir -p ~/.config/containers/systemd
nano ~/.config/containers/systemd/web.container

Add the container definition:

[Unit]
Description=Rootless Nginx container

[Container]
Image=docker.io/library/nginx:latest
ContainerName=web
PublishPort=8080:80

[Service]
Restart=always

[Install]
WantedBy=default.target

Reload the user systemd manager, then start the generated service:

systemctl --user daemon-reload
systemctl --user start web.service

Enable lingering so the user services keep running after logout:

sudo loginctl enable-linger sara

The [Install] section tells the Podman systemd generator to attach the service to the user’s default target. The container now starts without root or a system-wide daemon.

Troubleshooting #

Error: short-name "nginx" did not resolve to an alias
The unqualified-search-registries list is empty. Edit /etc/containers/registries.conf and add at least docker.io, or pull with the full reference (podman pull docker.io/library/nginx).

ERRO[0000] cannot find UID/GID for user
The current user has no entry in /etc/subuid or /etc/subgid. Run sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER, then podman system migrate.

Ports under 1024 refuse to bind in rootless mode
The kernel restricts low ports for non-root users. Either publish to a high port (-p 8080:80), or allow your user to bind low ports with sudo sysctl net.ipv4.ip_unprivileged_port_start=80.

FAQ #

Is Podman a drop-in Docker replacement?
For everyday run, build, pull, push, and exec workflows, yes. Compose and the long-lived socket need extra setup. Most CI jobs only need the CLI and switch over without changes.

Does Podman work with Docker Compose?
Yes. Start the Podman socket with systemctl --user enable --now podman.socket, export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock, and run docker compose up.

Are Podman images compatible with Docker?
Yes. Both produce OCI-compliant images, so an image built with podman build runs unchanged under Docker, and vice versa.

Conclusion #

Podman gives you the Docker workflow without the daemon and without root, which is often what you want on a multi-user server or a developer workstation. Install it from apt, alias docker if you have existing scripts, and the rest of the CLI feels familiar.

For follow-up reading, see our guides on installing Docker on Ubuntu 26.04 and building Docker images with a Dockerfile .

When you write Bash scripts, many small text tasks do not need sed, awk, or another external command. Parameter expansion can extract part of a string, replace text, strip a prefix, or change case directly inside ${}.

This guide covers the most useful string operations with practical examples for each one.

String Length #

Get the number of characters in a variable using ${#variable}:

filename="backup-2026-04-14.tar.gz"
echo "${#filename}"

24

This returns the character count. For strings that contain only ASCII characters, the character count and byte count are the same.

Extracting a Substring #

Use ${variable:offset:length} to extract part of a string:

str="Hello, World"
echo "${str:7:5}"

World

The offset is zero-based, so 7 starts at the eighth character. 5 is how many characters to return.

Omit the length to extract from the offset to the end of the string:

echo "${str:7}"

World

Negative offsets count from the end of the string. Note the space before the minus sign; it is required to avoid being interpreted as the :- default value syntax:

echo "${str: -5}"

World

Replacing a Substring #

Use ${variable/pattern/replacement} to replace the first match of a pattern:

path="/var/log/app/error.log"
echo "${path/log/logs}"

/var/logs/app/error.log

Only the first occurrence is replaced. To replace every occurrence, double the forward slash:

echo "${path//log/logs}"

/var/logs/app/error.logs

Leave the replacement empty to delete a substring:

version="v1.2.3"
echo "${version/v/}"

1.2.3

The pattern supports glob characters: * matches any sequence of characters, ? matches a single character, and [...] matches a character class.

Removing a Prefix #

Use # to remove a prefix from the beginning of a string. The shortest matching prefix is removed:

file="photo.backup.tar.gz"
echo "${file#*.}"

backup.tar.gz

Use ## to remove the longest possible matching prefix:

echo "${file##*.}"

gz

A common use is stripping a directory path to get just the filename:

filepath="/home/user/documents/report.pdf"
echo "${filepath##*/}"

report.pdf

Removing a Suffix #

Use % to strip a suffix from the end of a string. The shortest match is removed:

file="photo.backup.tar.gz"
echo "${file%.*}"

photo.backup.tar

Use %% for the longest match:

echo "${file%%.*}"

photo

Combining prefix and suffix removal is a clean way to extract a bare filename from a path:

filepath="/home/user/documents/report.pdf"
base="${filepath##*/}"
name="${base%.*}"
echo "$name"

report

Changing Case #

Convert a string to uppercase with ^^:

greeting="hello, world"
echo "${greeting^^}"

HELLO, WORLD

Convert to lowercase with ,,:

input="Hello World"
echo "${input,,}"

hello world

To capitalize only the first character, use a single ^:

word="linux"
echo "${word^}"

Linux

To lowercase only the first character, use a single ,:

word="LINUX"
echo "${word,}"

lINUX

Case conversion requires Bash 4.0 or newer. The default shell on older macOS systems ships with Bash 3.2 and does not support these operators. As a portable alternative, use tr:

echo "$greeting" | tr '[:lower:]' '[:upper:]'

Checking if a String Contains a Substring #

Use a glob pattern inside [[ ]] to test whether a string contains another string:

str="Running on Linux kernel 6.8"
if [[ "$str" == *"Linux"* ]]; then
 echo "Linux detected"
fi

Linux detected

The * wildcards match anything before and after the search pattern. The comparison is case-sensitive. To check case-insensitively, convert both sides to the same case first using ,, before comparing.

For a more detailed walkthrough of substring detection, including case-insensitive matching and edge cases, see How to Check if a String Contains a Substring in Bash . For more on [[ ]] conditionals and string comparison operators, see the guide on Bash comparison operators .

Quick Reference #

For a printable quick reference, see the Bash cheatsheet .

Conclusion #

Bash parameter expansion handles most day-to-day string operations without extra commands, which keeps scripts shorter and faster. For more on working with strings, see the guides on Bash string concatenation and splitting strings by delimiter .

When a Linux system needs a network change from a terminal, nmcli is usually the cleanest way to make it. It controls NetworkManager, the service that handles wired, wireless, VPN, and other connection profiles on many Linux desktops and servers.

This guide explains how to inspect device status, list and edit connections, join Wi-Fi networks, assign a static IP address, and get script-friendly output with nmcli.

Before You Begin #

Before changing network settings, confirm that NetworkManager is installed and running:

systemctl status NetworkManager

On distributions that use a different network stack, install NetworkManager from the package manager and enable the service before continuing. Most Ubuntu, Fedora, and Arch desktops have it preinstalled.

If you are connected over SSH , be careful with commands that disconnect an interface, change an address, or bring a profile down. A wrong gateway, IP address, or device name can drop the remote session.

nmcli Syntax #

The general nmcli syntax is:

nmcli [OPTIONS] OBJECT { COMMAND | help }

OBJECT is the part of NetworkManager you want to inspect or change. The most common objects are:

• general - show overall NetworkManager status and hostname settings
• networking - enable, disable, or check networking
• radio - control Wi-Fi and WWAN radio switches
• device - show and manage network interfaces
• connection - show and manage saved connection profiles
• monitor - watch NetworkManager events in real time

You can abbreviate most objects, for example nmcli con show instead of nmcli connection show, but the full form is clearer in scripts and documentation.

Show General Status #

The general subcommand reports the overall NetworkManager state, the hostname, and whether networking is enabled:

nmcli general status

STATE CONNECTIVITY WIFI-HW WIFI WWAN-HW WWAN
connected full enabled enabled enabled enabled

Read or change the system hostname through the same subcommand:

nmcli general hostname
sudo nmcli general hostname server01

The second form writes the new hostname to /etc/hostname and updates the kernel value without a reboot. For more hostname options, see the guide on changing the hostname in Linux .

Manage Devices #

A device in NetworkManager is a physical or virtual interface, for example eth0, wlan0, or wg0. List every known device with:

nmcli device status

DEVICE TYPE STATE CONNECTION
eth0 ethernet connected Wired connection 1
wlan0 wifi connected home-wifi
lo loopback unmanaged --

Show detailed properties of a single device, including the MAC address, driver, and current IP configuration:

nmcli device show eth0

Bring an interface up or down without changing the underlying connection profile:

sudo nmcli device connect eth0
sudo nmcli device disconnect eth0

disconnect stops the connection but keeps the profile available for the next connect call. Do not disconnect the device that carries your current SSH session unless you have another access path.

Manage Connection Profiles #

NetworkManager stores each network as a connection profile under /etc/NetworkManager/system-connections/. List every profile:

nmcli connection show

NAME UUID TYPE DEVICE
Wired connection 1 3f4e... ethernet eth0
home-wifi 7a92... wifi wlan0

Activate a saved profile by name:

sudo nmcli connection up "home-wifi"

Deactivate it without deleting the profile:

sudo nmcli connection down "home-wifi"

Delete a profile when it is no longer needed:

sudo nmcli connection delete "home-wifi"

Deleting a profile removes the saved NetworkManager configuration. If you only want to stop using it for the moment, bring it down instead.

Connect to a Wi-Fi Network #

Scan for available networks. The radio must be on for the scan to return results:

nmcli device wifi list

Join an open or WPA2 network in one call. NetworkManager creates a new profile and stores the password in the system keyring:

sudo nmcli device wifi connect "home-wifi" password "secret-passphrase"