Skip to content

Instantly share code, notes, and snippets.

@Ivanshamir

Ivanshamir/namespace.md

Last active March 2, 2024 22:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Ivanshamir/7ca6d5bfe5807691d451552f4f7144d0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Ivanshamir/7ca6d5bfe5807691d451552f4f7144d0 to your computer and use it in GitHub Desktop.
Download ZIP
1.Networking using linux network namespaces
Raw
namespace.md

Commands:

  1. Let's familiar with some necessary terms:
  • Network interfaces allow us to establish communication between a network and a device.
  • routes define traffic paths. Definition: a route in networking specifies the path for network traffic from source to destination.
  • iptables configures packet filtering. Definition: iptables is a user-space utility for configuring packet filter rules in the Linux kernel's Netfilter framework. Whatis Netfilter framework: iptables operates within the Netfilter framework, which is a part of the Linux kernel responsible for packet filtering, network address translation (NAT), and other packet mangling tasks. Netfilter provides hooks within the Linux networking stack that allow iptables to intercept packets at various points in their journey through the system and apply the configured rules to them.
  • lo is a local loopback interface for testing,
  • eth0 is the primary Ethernet interface for external connections.
  1. First update apt: sudo apt update -y
  2. Then install necessary packages: sudo apt-get install tcpdump net-tools iproute2 iputils-ping iptables -y
  3. List all the network interfaces: ip link list
  4. View routing table: ip route show or for older system: sudo route -n. In here -n means to display numeric addresses instead of attempting to resolve hostnames.
  5. View iptables rules: sudo iptables -L
  6. Create two namespace: sudo ip netns add red, sudo ip netns add green
  7. List the created network namespaces: sudo ip netns list
  8. View network namespace from iproute2: sudo ls /var/run/netns/
  9. We can enter namespace in two ways:
  • sudo ip netns exec red bash
  • sudo nsenter --net=/var/run/netns/red bash
  1. After enter check the available interfaces and iptable rules: sudo ip netns exec red ip link show and sudo ip netns exec red ifconfig lo. In here we will see the lo interface is in state DOWN, so we need to up this.
  2. Up network interfaces of created first netns: sudo ip netns exec red ip link set lo up
  3. View the interace is properly up in first netns: sudo ip netns exec red ip link
  4. Up network interfaces of created second netns: sudo ip netns exec green ip link set lo up
  5. View the interace is properly up in second netns: sudo ip netns exec green ip link
  6. Create a bridge network on the host: sudo ip link add br0 type bridge
  7. Up the created bridge: sudo ip link set br0 up
  8. List all the interfaces: sudo ip link
  9. Configure IP to the bridge network: sudo ip addr add 192.168.1.1/24 dev br0
  10. Check whether the ip is configured: sudo ip addr
  11. ping to the newly added bridge ip: ping -c 2 192.168.1.1
  12. Create a virtual Ethernet cable. One cable hand will be configured as a nic card in the red namespace, while the other hand will be configured in the br0 interface and their name will be veth0 and ceth0: sudo ip link add veth0 type veth peer name ceth0
  13. Connect veth0 end to the bridge br0: sudo ip link set veth0 master br0
  14. Up the veth0: sudo ip link set veth0 up
  15. Connect ceth0 end to the netns red: sudo ip link set ceth0 netns red
  16. Up the ceth0 using 'exec' to run command inside netns: sudo ip netns exec red ip link set ceth0 up
  17. List all the interfaces: sudo ip link
  18. Check the link status inside red: sudo ip netns exec red ip link
  19. For green, do the same as red
sudo ip link add veth1 type veth peer name ceth1
sudo ip link set veth1 master br0
sudo ip link set veth1 up
sudo ip link set ceth1 netns green
sudo ip netns exec green ip link set ceth1 up
sudo ip netns exec green ip link
  1. Set ip address to the netns veth interfaces. For red
sudo ip netns exec red ip addr add 192.168.1.10/24 dev ceth0
sudo ip netns exec red ping -c 2 192.168.1.10
sudo ip netns exec red ip route
  1. Check we can reach bridge interface from ns1: sudo ip netns exec red ping -c 2 192.168.1.1
  2. For green, do the same:
sudo ip netns exec green ip addr add 192.168.1.11/24 dev ceth1
sudo ip netns exec green ping -c 2 192.168.1.11
sudo ip netns exec green ip route
  1. Check we can reach bridge interface from green: sudo ip netns exec green ping -c 2 192.168.1.1
  2. Verify connectivity between two netns, for that log in to first netns environment: sudo ip netns exec red bash
  3. Ping to the green netns to verify the connectivity: ping -c 2 192.168.1.11 and exit: exit
  4. Do same for green:
sudo ip netns exec green bash
ping -c 2 192.168.1.10
exit
  1. As routing table from red doesn't have a default gateway, it can't reach any other machine from outside the 192.168.1.0/24 range. Cmd: sudo ip netns exec red ping -c 2 8.8.8.8
  2. Route inside red: sudo ip netns exec red route -n
  3. Adding default route to red: sudo ip netns exec red ip route add default via 192.168.1.1
  4. Again check route inside red: sudo ip netns exec red route -n
  5. Do the same for green:
sudo ip netns exec green ip route add default via 192.168.1.1
sudo ip netns exec green route -n
  1. Now ping the host machine eth0: ip addr | grep eth0
  2. Ping feom red to host ip: sudo ip netns exec red ping 10.42.1.201
  3. Now if we again try to communicate with outside it still unreachable: sudo ip netns exec red ping 8.8.8.8
  4. Open tcpdump in eth0 to see the packet: sudo tcpdump -i eth0 icmp
  5. As no packet captured, let's capture traffic for br0: sudo tcpdump -i br0 icmp . we can see the traffic at br0 but we don't get response from eth0
  6. Let's ping again to 8.8.8.8 from red: sudo ip netns exec red ping 8.8.8.8 . Although the network is now reachable, there's no way that we can have responses back - cause packets from external networks can't be sent directly to our 192.168.1.0/24 network.
  7. So we can make use of NAT (network address translation) by placing an iptables rule in the POSTROUTING chain of the nat table.
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 ! -o br0 -j MASQUERADE

To verify iptables chain and other stuff: sudo iptables -t nat -L -n -v. In here -t nat means we selects the NAT (Network Address Translation) table. The NAT table is used to configure rules for translating IP addresses and ports in network packets. -L option is short for --list. -n means this option specifies that numeric output should be used instead of resolving IP addresses and port numbers to their corresponding domain names and service names. -v stands for "verbose". 48. Let's try to again ping to google dns: sudo ip netns exec red ping -c 2 8.8.8.8 and now it is successfull.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment