Linux namespace, How to connect internet in network namespace

linuxnamespacenetworking

I want to test linux network namespace.

The current problem is I cannot connect internet in the namespace

here is my commands:

1 Create network namespace netns1, create a pair of veths (A and B) set B into namespace 

ip netns add netns1
ip link add A type veth peer name B
ip link set B netns netns1

2 create a bridge to connect veth A

brctl addbr bridge0
ip addr add 172.17.42.1/16 dev bridge0
ip link set dev bridge0 up
brctl addif bridge0 A
ip link set A up

3 In namespace, set the network

ip netns exec netns1 ip link set dev B name eth0
ip netns exec netns1 ip link set eth0 up
ip netns exec netns1 ip addr add 172.17.42.99/16 dev eth0
ip netns exec netns1 ip route add default via 172.17.42.1

When I ping google, I got this:

ping: unknown host www.google.com

How can I connect to the internet in this namespace ?

Here are some other details:

enter image description here

enter image description here

enter image description here

enter image description here

Thank you

update 1

I also try to set the NAT:

iptables -t nat -A POSTROUTING -s 172.17.0.0/16 -d 0.0.0.0/0 -j MASQUERADE

But still unknown host

Best Answer

Think of a network namespace as another computer. Think of a veth pair as two Ethernet cards with a crossover cable between them.

There are three main ways to connect a network namespace to the Internet, NAT, conventional IP routing, Ethernet bridging.

NAT is generally the easiest to set up because it works with any type of upstream internet connection and doesn't require the cooperation of the upstream network.

For NAT to work several things need to be in place.

  1. The default gateway needs to be set up in the secondary network namespace (you appear to have done this)
  2. IP forwarding needs to be enabled in the main network namespace (you have not shown how this setting is set).
  3. The iptables rules in the main network namespace need to allow the traffic to pass (on the kernel side this is ok by default but some firewall software may have set up rules that block forwarding).
  4. An appropriate SNAT or masqurade rule needs to be in place in the main network namespace (you appear to have done this).

You also need to ensure that an appropriate /etc/resolv.conf is available for programs in the secondary network namespace. Remember that even if you bring up the local loopback interface in the secondary network namespace (which you should do) it is still local to each network namespace.

It is best to ping/traceroute by IP address when initially setting up networks to seperate name resoloution issues from general connectivity issues.

Related Question