Jan 4, 2017

3. Linux network namespace (virtual network stack)

By Phèn January 04, 2017 Leave a Comment
Definition
A network namespace is logically another copy of the network stack, with its own routes, firewall rules, and network devices.

ip [-all] netns exec [ NAME ] cmd ... - Run cmd in the named network namespace
For applications that are aware of network namespaces, the convention is to look for global network configuration files first in /etc/netns/NAMEthen in /etc/.
For example, if you want a different version of /etc/resolv.conf for a network namespace used to isolate your vpn you would name it /etc/netns/myvpn/resolv.conf.

Demo network topology 

Normal linux network enviroment
ip link list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:7a:94:3d brd ff:ff:ff:ff:ff:ff
vdkmai@Ubuntu32bit:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=53 time=35.6 ms
Create a linux network namespace
vdkmai@Ubuntu32bit:~$ ip netns
vdkmai@Ubuntu32bit:~$ sudo ip netns add demo
vdkmai@Ubuntu32bit:~$ ip netns
demo
vdkmai@Ubuntu32bit:~$ ip netns show
demo
Inside the Linux network namespace
vdkmai@Ubuntu32bit:~$ sudo ip netns exec demo ip link list
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
vdkmai@Ubuntu32bit:~$ sudo ip netns exec demo ping 8.8.8.8
connect: Network is unreachable
Add veth1 interface pair
sudo ip link add eth1 type veth peer name veth1
ifconfig -a
eth0      Link encap:Ethernet  HWaddr 08:00:27:7a:94:3d 
          inet addr:192.168.0.36  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe7a:943d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2433 errors:0 dropped:0 overruns:0 frame:0
          TX packets:700 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:223427 (223.4 KB)  TX bytes:81671 (81.6 KB)
eth1      Link encap:Ethernet  HWaddr d6:7c:ab:e5:27:6c 
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:960 (960.0 B)  TX bytes:960 (960.0 B)
veth1     Link encap:Ethernet  HWaddr e2:c7:e7:12:b7:77 
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
vdkmai@Ubuntu32bit:~$ sudo ip netns exec demo ip link list
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
Add an interface to demo namespage
vdkmai@Ubuntu32bit:~$ sudo ip link set veth1 netns demo
vdkmai@Ubuntu32bit:~$ ifconfig -a
eth0      Link encap:Ethernet  HWaddr 08:00:27:7a:94:3d 
          inet addr:192.168.0.36  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe7a:943d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2672 errors:0 dropped:0 overruns:0 frame:0
          TX packets:778 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:244487 (244.4 KB)  TX bytes:91619 (91.6 KB)
eth1      Link encap:Ethernet  HWaddr d6:7c:ab:e5:27:6c 
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:960 (960.0 B)  TX bytes:960 (960.0 B)
vdkmai@Ubuntu32bit:~$ sudo ip netns exec demo ip link list
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: veth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether e2:c7:e7:12:b7:77 brd ff:ff:ff:ff:ff:ff
Set IP address for eth1 interface
vdkmai@Ubuntu32bit:~$ sudo ip addr add 10.0.0.1/24 dev eth1
vdkmai@Ubuntu32bit:~$ sudo ip link set eth1 up
vdkmai@Ubuntu32bit:~$
vdkmai@Ubuntu32bit:~$
vdkmai@Ubuntu32bit:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:7a:94:3d 
          inet addr:192.168.0.36  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe7a:943d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3259 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1051 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:296301 (296.3 KB)  TX bytes:123618 (123.6 KB)
eth1      Link encap:Ethernet  HWaddr d6:7c:ab:e5:27:6c 
          inet addr:10.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:17 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1050 (1.0 KB)  TX bytes:1050 (1.0 KB)
Set IP address for veth1 interface inside demo namespace
vdkmai@Ubuntu32bit:~$ sudo ip netns exec demo ip addr add 10.0.0.2/24 dev veth1
vdkmai@Ubuntu32bit:~$ sudo ip netns exec demo ip addr list
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: veth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether e2:c7:e7:12:b7:77 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.2/24 scope global veth1
       valid_lft forever preferred_lft forever
vdkmai@Ubuntu32bit:~$ sudo ip netns exec demo ip link set veth1 up
vdkmai@Ubuntu32bit:~$ sudo ip netns exec demo ifconfig
veth1     Link encap:Ethernet  HWaddr e2:c7:e7:12:b7:77 
          inet addr:10.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::e0c7:e7ff:fe12:b777/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:940 (940.0 B)  TX bytes:828 (828.0 B)
Test connection
vdkmai@Ubuntu32bit:~$ ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_req=1 ttl=64 time=0.024 ms
^C
--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms
vdkmai@Ubuntu32bit:~$ sudo ip netns exec demo ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_req=1 ttl=64 time=0.024 ms
^C
--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms
vdkmai@Ubuntu32bit:~$ sudo ip netns exec demo ping 8.8.8.8
connect: Network is unreachable
Establish Internet connection for demo 

####Set ip_forward value
vdkmai@Ubuntu32bit:~$ cat /proc/sys/net/ipv4/ip_forward                         
0
vdkmai@Ubuntu32bit:~$ echo 1 > /proc/sys/net/ipv4/ip_forward
-bash: /proc/sys/net/ipv4/ip_forward: Permission denied
vdkmai@Ubuntu32bit:~$ sudo echo 1 >/proc/sys/net/ipv4/ip_forward
-bash: /proc/sys/net/ipv4/ip_forward: Permission denied
vdkmai@Ubuntu32bit:~$
vdkmai@Ubuntu32bit:~$
vdkmai@Ubuntu32bit:~$ sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
vdkmai@Ubuntu32bit:~$ cat /proc/sys/net/ipv4/ip_forward                         
####Set forwarding rule for iptables
vdkmai@Ubuntu32bit:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
vdkmai@Ubuntu32bit:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j  MASQUERADE 
vdkmai@Ubuntu32bit:~$
vdkmai@Ubuntu32bit:~$
vdkmai@Ubuntu32bit:~$
vdkmai@Ubuntu32bit:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  anywhere             anywhere
####Set default gateway
vdkmai@Ubuntu32bit:~$ sudo ip netns exec demo route add default gw 10.0.0.1 veth1
vdkmai@Ubuntu32bit:~$ sudo ip netns exec demo route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 veth1
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 veth1
sudo ip netns exec demo ping 8.8.8.8                      
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=52 time=35.5 ms
Note: To return the network interface back to the host machine from network namespace, we can use below command
sudo ip netns exec <net-name> ip link set <interface-name> netns 1
If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment