Setting up Linux Network Namespace and Bridge for Network Isolation
Introduction:
In this tutorial, we will explore the concept of Linux network namespaces and bridges, and how they can be used to create isolated network environments. We will go through the step-by-step process of setting up network namespaces and connecting them with a bridge interface, enabling communication between the namespaces while keeping their network traffic separate. This setup is useful for scenarios where you need to create isolated network environments, such as in testing environments or containerized applications.
What are Network Namespaces?
Network namespaces are a feature in the Linux kernel that provides a way to create multiple virtual network stacks, each with its own network interfaces, IP addresses, routing tables, and firewall rules. These namespaces allow you to isolate network resources and processes, providing a level of network separation.
What is a Bridge?
A bridge is a software component that connects multiple network interfaces together, creating a single logical network segment. It operates at the data link layer and allows communication between devices connected to different interfaces of the bridge. By connecting network namespaces with a bridge, we can establish communication between them.
Architecture Diagram
Setting up Network Namespaces and Bridge:
- Create Network Namespaces: We start by creating two network namespaces, ns1 and ns2, using the following commands:
sudo ip netns add ns1
sudo ip netns add ns2These commands create two separate network namespaces.
2. Create Virtual Ethernet Pairs: Next, we create virtual Ethernet pairs (veth) and link them using the following commands:
sudo ip link add veth1 type veth peer name vpeer1
sudo ip link add veth2 type veth peer name vpeer2This creates two pairs of virtual Ethernet devices, veth1-vpeer1 and veth2-vpeer2.
3. Bring Up Network Interfaces: We bring up the network interfaces using the following commands:
sudo ip link set veth1 up
sudo ip link set veth2 up
sudo ip link set vpeer1 up
sudo ip link set vpeer2 upThese commands activate the network interfaces.
4. Move Virtual Ethernet Devices to Namespaces: Now, we move the virtual Ethernet devices to their respective namespaces using the following commands:
sudo ip link set veth1 netns ns1
sudo ip link set veth2 netns ns2This moves veth1 to the ns1 namespace and veth2 to the ns2 namespace.
5. Set Up Interfaces within Namespaces: We bring up the network interfaces within their respective namespaces using the following commands:
sudo ip netns exec ns1 ip link set veth1 up
sudo ip netns exec ns2 ip link set veth2 upThese commands bring up the network interfaces veth1 and veth2 within the ns1 and ns2 namespaces, respectively.
6. Assign IP Addresses to Interfaces: We assign IP addresses to the network interfaces within the namespaces using the following commands:
sudo ip netns exec ns1 ip addr add 10.10.0.10/16 dev veth1
sudo ip netns exec ns2 ip addr add 10.10.0.20/16 dev veth2This assigns IP addresses (10.10.0.10/16 and 10.10.0.20/16) to veth1 and veth2 interfaces within the ns1 and ns2 namespaces, respectively.
7. Create and Configure a Bridge: We create a bridge named br1 and configure it with the following commands:
sudo ip link add br1 type bridge
sudo ip link set br1 up
sudo ip link set vpeer1 master br1
sudo ip link set vpeer2 master br1
sudo ip addr add 10.10.0.1/16 dev br1This creates the bridge br1, brings it up, assigns vpeer1 and vpeer2 as its members, and assigns an IP address (10.10.0.1/16) to the bridge interface.
8. Test Connectivity: Finally, we can test the connectivity between the namespaces using the ping command:
sudo ip netns exec ns1 ping 10.10.0.20
sudo ip netns exec ns2 ping 10.10.0.10These commands initiate ICMP ping requests from the ns1 namespace to the IP address 10.10.0.20 (located in the ns2 namespace) and vice versa.
Conclusion: In this tutorial, we have learned how to set up Linux network namespaces and connect them with a bridge interface. Network namespaces provide isolation for network resources, while bridges enable communication between isolated environments. This setup can be useful for various scenarios, such as testing network configurations or running containerized applications with isolated networking. By following the step-by-step instructions, you can easily create and configure network namespaces and bridges to achieve network isolation.
References:
- Linux Foundation Networking Namespace Documentation: https://www.kernel.org/doc/Documentation/networking/namespaces.txt
- Linux Foundation Bridge Documentation: https://www.kernel.org/doc/Documentation/networking/bridge.txt
- Aly Sivji’s Blog on Linux Networking, Bridge, and Docker: https://aly.arriqaaq.com/linux-networking-bridge-iptables-and-docker/