Connect the network namespace to the Internet
pgsandstrom
My situation is this: I want to be able to execute a program in a separate namespace using its own network interface. But I also want it to be able to access the internet through my physical network interface. Here is my code so far:
ip netns add private_ns
ip link add link eth1 name eth1.100 type vlan id 100
ip link set eth1.100 netns private_ns
ip netns exec private_ns ip addr add 10.1.1.1/24 dev eth1.100
ip netns exec private_ns ip link set eth1.100 up
Then I try:
ip netns exec private_ns ping 8.8.8.8
I getconnect: Network is unreachable
plug wash
Each network namespace is a separate logical copy of the network stack. Therefore, you need to treat the network namespace as a separate computer.
To connect your new computer to the Internet through your current computer, you will need
-
- Select an unused network card (or install a new one) on each computer.
-
- Connect them together with a network cable.
-
- Choose between Ethernet bridging, normal IP routing, or NAT.
- 4a. For ethernet bridging, add the new NIC in the existing computer to the appropriate bridge and give the NIC in the secondary computer the IP in the subnet where the bridge is located.
- 4b. For regular IP routing, choose an IP block for the new link. Assign interface IPs from that block, make sure IP forwarding is enabled on existing machines, make sure the rest of the network knows about the new subnet, and make sure iptables rules (if any) allow traffic through.
- 4c. For NAT, choose an IP block for the new link. Assign interface IPs from this block, ensure IP forwarding is enabled on existing machines, ensure IPtables rules allow traffic through, and set up SNAT or MASQURADE rules for traffic from the new subnet to external hosts.
-
- Set the appropriate default gateway on the new computer.
Similar when using network namespaces.
-
- Create a veth pair in the main network namespace.
-
- Move one end of the veth pair to the secondary network namespace.
-
- Choose between Ethernet bridging, normal IP routing, or NAT.
- 4a. For ethernet bridging, add the new veth in the main network namespace to the appropriate bridge and give the veth in the new network namespace the IP in the subnet where the bridge is located.
- 4b. For regular IP routing, choose an IP block for the new link. Assign interface IPs from that block, make sure IP forwarding is enabled on existing machines, make sure the rest of the network knows about the new subnet, and make sure iptables rules (if any) allow traffic through.
- 4c. For NAT, choose an IP block for the new link. Assign interface IPs from this block, ensure IP forwarding is enabled on existing machines, ensure IPtables rules allow traffic through, and set up SNAT or MASQURADE rules for traffic from the new subnet to external hosts.
-
- Set an appropriate default gateway in the secondary network namespace.
(Sorry for the ugly formatting, feel free to fix it if you're more skilled at Markdown than I am)