Friday, July 18, 2014

How to Create a Network Namespace and add iptables rules and Test it

1)
Add a namespace
#sudo ip netns add myns1

2)
List all namespaces
#ip netns list

3)
Execute commands in a namespace
#sudo ip netns exec myns1

4)
Check all the interfaces and their IP in the namespace "myns1"
#sudo ip netns exec myns1 ifconfig -a
#sudo ip netns exec myns1 ip link list

5)
The default interface "lo" in the namespace "myns1" doesn't have any IP. So set it like.
#sudo ip netns exec myns1 ifconfig lo 127.0.0.1 up
#sudo ip netns exec myns1 ifconfig -a

6)
List all rules in the PREROUTING chain of NAT table
#sudo ip netns exec myns1 iptables -t nat -L PREROUTING -nv

7)
Add a port redirect rule to PREROUTING chain of NAT table
#sudo ip netns exec myns1 iptables -t nat -A PREROUTING -p tcp --dport 8083 -j REDIRECT --to-ports 8085

* All incoming traffic on port 8083 redirect to port 8085
* http://fosshelp.blogspot.in/2014/07/iptables-port-redirection-example.html

* -t nat ==> Name of the table.
* -A PREROUTING ==> Name of the chain where we need to add the rule.

* -p tcp ==> Name of the Match
* -p tcp --dport 8083 ==> Name of the Match with match options
http://www.iptables.info/en/iptables-matches.html#TCPMATCHES
http://www.iptables.info/en/iptables-matches.html

* -j REDIRECT ==> Name of the Target/Jump
* REDIRECT --to-ports 8085 ==> Name of the Target/Jump with options
http://www.iptables.info/en/iptables-targets-and-jumps.html#REDIRECTTARGET
http://www.iptables.info/en/iptables-targets-and-jumps.html

* We can't test ping, since we specified "-p tcp" in the rule. If you want test ping, please remove "-p tcp" from the rule or replace "-p tcp" with "-p icmp".

8)
List all rules in the PREROUTING chain of NAT table
#sudo ip netns exec myns1 iptables -t nat -L PREROUTING -nv

9)
Listen for an incoming connection/packets to port 8085
#sudo ip netns exec myns1 netcat -l 8085

10)
Send a packet to port 8085 from same machine (127.0.0.1/localhost).
#sudo ip netns exec myns1 telnet 127.0.0.1 8083
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

* We cannot test our rules from localhost. we shoult use other host or setup REDIRECT rule in OUTPUT chain of NAT table
* http://fosshelp.blogspot.in/2014/07/iptables-port-redirection-example.html

11)
Create veth interface pairs (veth0 and veth1) in global namespace
#ip link add veth0 type veth peer name veth1

Log file
#sudo vim /var/log/kern.log

12)
List and check veth pairs created in the global namespace
#ip link list
OR
#ifconfig -a

* At this point the interface veth0 and "veth1" don't have any IP,So don't belongs to any network.

13)
If you want to connect the global namespace to the "myns1" namespace, you will need to move one of the veth interfaces to the "myns1" namespace using this command.
#sudo ip link set veth1 netns myns1

14)
Check namespace "myns1", there you can see the moved interface "veth1".
#sudo ip netns exec myns1 ip link
OR
#sudo ip netns exec myns1 ifconfig -a

* At this point the interface "veth1" doesn't have any IP, So doesn't belongs to any network.
* If you run "#ip link list" or "#ifconfig -a" in global namespace, you can't see the "veth1" interface, since it moved to namespace "myns1".

15)
List routing table in the namespace "myns1"
#sudo ip netns exec myns1 route -n
OR
#sudo ip netns exec myns1 ip route list

* At this point, this will be empty.

16)
Assign an IP "10.1.1.1" to "veth1" interface OR Add the interface "veth1" to a network "10.1.1.1/24 or 10.1.1.x".
#sudo ip netns exec myns1 ifconfig veth1 10.1.1.1/24 up

17)
List routing table in the namespace "myns1"
#sudo ip netns exec myns1 route -n
OR
#sudo ip netns exec myns1 ip route list

* At this point you can see the network "10.1.1.1/24 or 10.1.1.x" with interface "veth1" in the routing table.

18)
List routing table in the global namespace
#route -n
OR
#ip route list

* You can see the "veth0" not there in the routing table. So we need to add it.

19)
Assign an IP "10.1.1.3" to "veth0" interface OR Add the interface "veth0" to the same network "10.1.1.1/24 or 10.1.1.x" of "veth1".
#sudo ifconfig veth0 10.1.1.3/24 up

* Note: "veth0" and "veth1" should be in same network "10.1.1.1/24 or 10.1.1.x".

20)
List routing table in the global namespace
#route -n
OR
#ip route list

* At this point you can see the network "10.1.1.1/24 or 10.1.1.x" with interface "veth0" in the routing table.

21)
Test IPs
* Ping to interface "veth0" in the global namespace from global namespace
#ping 10.1.1.3

*Ping to interface "veth1" in the "myns1" namespace from global namespace
#ping 10.1.1.1

* Ping to interface "veth0" in the global namespace from "myns1" namespace
#sudo ip netns exec myns1 ping 10.1.1.3

22)
Send request/packets to ports 8083 in the namespace "myns1" from global namespace.
#telnet 10.1.1.1 8083

* Here 10.1.1.1 is the IP of interface "veth1" in the namespace "myns1".
* In namespace "myns1" check the output of command "#sudo ip netns exec myns1 netcat -l 8085", you can see the packets there.(see Step-9).


2 comments:

  1. This is such an inspiring read! Your insights really resonate and make me think differently. Thank you for sharing!

    ReplyDelete
  2. Create a network namespace with ip netns add , set up veth pairs, assign IPs, add iptables webspacekit rules with iptables -A and test by pinging or using curl within the namespace.

    ReplyDelete