Tag Archives: ip

Network namespaces – part 2

How to run OpenVPN tunnel inside a network namespace

Linux network namespaces can be used to control which processes should be tunneled by OpenVPN.

First create an –up and –down script for OpenVPN. This script will create the VPN tunnel interface inside a network namespace called vpn, instead of the default namespace.

cat > netns-up << EOF
#!/bin/sh
case $script_type in
        up)
                ip netns add vpn
                ip netns exec vpn ip link set dev lo up
                mkdir -p /etc/netns/vpn
                echo "nameserver 8.8.8.8" > /etc/netns/vpn/resolv.conf
                ip link set dev "$1" up netns vpn mtu "$2"
                ip netns exec vpn ip addr add dev "$1" \
                        "$4/${ifconfig_netmask:-30}" \
                        ${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"}
                test -n "$ifconfig_ipv6_local" && \
          ip netns exec vpn ip addr add dev "$1" \
                        "$ifconfig_ipv6_local"/112
                ;;
        route-up)
                ip netns exec vpn ip route add default via "$route_vpn_gateway"
                test -n "$ifconfig_ipv6_remote" && \
          ip netns exec vpn ip route add default via \
                        "$ifconfig_ipv6_remote"
                ;;
        down)
                ip netns delete vpn
                ;;
esac
EOF

Then start OpenVPN and tell it to use our –up script instead of executing ifconfig and route.

openvpn --ifconfig-noexec --route-noexec --up netns-up --route-up netns-up --down netns-up

Now you can start programs to be tunneled like this:

ip netns exec vpn command

Or start a separate shell

ip netns exec vpn command

 

Network namespaces – part 1

Linux namespaces are a relatively new kernel feature which is essential for implementation of containers. A namespace wraps a global system resource into an abstraction which will be bound only to processes within the namespace, providing resource isolation. In this article I discuss network namespace and show a practical example.

What is namespace?

A namespace is a way of scoping a particular set of identifiers. Using a namespace, you can use the same identifier multiple times in different namespaces. You can also restrict an identifier set visible to particular processes.

For example, Linux provides namespaces for networking and processes, among other things. If a process is running within a process namespace, it can only see and communicate with other processes in the same namespace. So, if a shell in a particular process namespace ran ps waux, it would only show the other processes in the same namespace.

Linux network namespaces

In a network namespace, the scoped ‘identifiers’ are network devices; so a given network device, such as eth0, exists in a particular namespace. Linux starts up with a default network namespace, so if your operating system does not do anything special, that is where all the network devices will be located. But it is also possible to create further non-default namespaces, and create new devices in those namespaces, or to move an existing device from one namespace to another.

Each network namespace also has its own routing table, and in fact this is the main reason for namespaces to exist. A routing table is keyed by destination IP address, so network namespaces are what you need if you want the same destination IP address to mean different things at different times – which is something that OpenStack Networking requires for its feature of providing overlapping IP addresses in different virtual networks.

Each network namespace also has its own set of iptables (for both IPv4 and IPv6). So, you can apply different security to flows with the same IP addressing in different namespaces, as well as different routing.

Any given Linux process runs in a particular network namespace. By default this is inherited from its parent process, but a process with the right capabilities can switch itself into a different namespace; in practice this is mostly done using the ip netns exec NETNS COMMAND… invocation, which starts COMMAND running in the namespace named NETNS. Suppose such a process sends out a message to IP address A.B.C.D, the effect of the namespace is that A.B.C.D will be looked up in that namespace’s routing table, and that will determine the network device that the message is transmitted through.

Lets play with ip namespaces

By convention a named network namespace is an object at /var/run/netns/NAME that can be opened. The file descriptor resulting from opening /var/run/netns/NAME refers to the specified network namespace.

create a namespace

power up loopback device

open up a namespace shell

now we can use this shell like user shell where it uses ns1 namespace only

 

In part-2  , I will explain how to connect to internet from ns1 namespace and adding custom routes.

How to assign IP to network interface command line in linux

This article objective is provide you the way to assign the IP address to the network interface from the command line.

You can see the available network interfaces on your machine by using the simple command ifconfig

ifconfig

You can find the interfaces and their names and you can identify the name which is  preceded by colon(:) in the left side. Something like eth0, lo and wlan0 etc.  The network interface lo interface is the special interface where we called it as localhost and special IP assigned to it 127.0.0.1 also called loopback IP.

Do you know? you can assign multiple IPs to single network interface. This is pretty useful when you need multiple IP addresses but you have only one network card.

ifconfig eht0:1 192.168.2.9 up

We created new interface alias with IP assigned. We can do it simply by giving colon(:) and alias number.

Assign IP using ifconfig
ifconfig eth0 down
ifconfig eth0 192.168.2.3 up

This command will assign the specified IP to the give network interface. It is not a persistent change. The would change after reboot.

ifconfig eth0 192.168.2.14 netmask 255.255.255.0 up

 

Get IP using dhclient

The program dhclient will get you the IP to the given interface using the Dynamic Host Configuration Protocol (DHCP). The IP which will be assigned to the given network interface which will be provided by gateway or router. If you won’t have any preference of having specific IP assigned to the network card, this can be used

dhclient eth0

 

Assign static IP

The IP we assigned above is not a persistent or static IP. Means you will lose that IP and will get an other different IP assigned after reboot. To make this IP permanent we have to edit the configuration files.

Ubuntu /etc/network/interfaces
# Your primary public IP address.
iface eth0 inet static
    address 198.51.100.5/24
    gateway 198.51.100.1

# To add a second public IP address:
iface eth0 inet static
    address 198.51.100.10/24

# To add a private IP address:
iface eth0 inet static
    address 192.0.2.6/17

 

CentOS /etc/sysconfig/network-scripts/ifcfg-eth0

Unlike the distribution Debian, CentOS maintains the configuration in a separate file for each interface. The  file path would be something like  /etc/sysconfig/network-scripts/ifcfg-<interface_name>.

# eth0
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
    
# Your primary public IP address.
IPADDR=198.51.2.5
NETMASK=255.255.255.0
GATEWAY=198.51.2.1

 

How to check routes (routing table) in linux

The route is nothing but a path or way to the specific or range of destination IP addresses. Linux kernel maintains these routes called as kernel routing table and will route the traffic accordingly.

You can use any one of them to display the routing table

route
netstat
ip

Command route

The command route is used to modify and check the existing routes. To check the routing table using route command,

$ route

This will display the list of routes currently configured

Command: route -n 

$ route -n
Kernel IP routing table
Destination    Gateway       Genmask        Flags  Metric Ref Use Iface
0.0.0.0        192.168.0.1   0.0.0.0        UG     0      0   0   wlan0
192.168.0.0    0.0.0.0       255.255.255.0  U      9      0   0   wlan0

This will give the output with out resolving the names

Command netstat

This command gives the statistics about the network. With this command you can do more than just printing routing table,

Print network connections,
routing tables,
interface statistics,
masquerade connections,  and
multicast memberships

To check the routing table,

Command: nestat -rn

$ netstat -rn
Kernel IP routing table
Destination  Gateway      Genmask        Flags MSS Window irtt Iface
0.0.0.0      192.168.0.1  0.0.0.0        UG    0   0      0    wlan0
192.168.0.0  0.0.0.0      255.255.255.0  U     0   0      0    wlan0

Where

Option -r  is to display the routing table

Option -n is not to resolve the names. Print the IP addresses only

Command IP

To check routing table using command ip 

Command: ip route list

$ ip route list
default via 192.168.0.1 dev wlan0 proto static 
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.5 metric 9

To find hops, route of the destination and how your machine is reaching the destination you use tracepath

tracepath howto.lintel.in

Where you can replace howto.lintel.in with specific domain or IP address.

We added an updated article with more options on this topic.

Check out at https://howto.lintel.in/add-delete-routes-linux/

How to list IP addresses of all connected machines in local network

If you want to list valid connected IPs in your local network, you can do it by logging into your router if you have a password, else you can check  connected client IPs command line  using either of the following two commands.

namp
arp

Let’s see, how you can list connected systems IPs in your netowrk using these commands

List IPs using command namp

Basically this command namp is used to scan networks. It is most widely  used as port scanner. You can do many things with this command.

Auditing the security of a device or firewall by identifying the network

Identifying open ports on a target host

Network i maintenance and asset management.

Generating traffic to hosts on a network, response analysis and response time measurement.

Find and exploit vulnerabilities in a network

Ok, lets come to main thing listing IPs of connected systems in network

nmap -sP 192.168.1.*

Where,  you have to specify the IP range or subnet to scan to get the list of connected hosts. Options -sP  no port scan based on your version you can also use option -sn .

Warning:  Do not performs scans on a network without proper authorization.

List IPs using command arp

Basically arp is the protocol which stands for Address Resolution Protocol. Many linux boxes are loaded with command arp

Ping your network using a broadcast address i.e. “ping 192.168.2.255” if your IP is 192.168.2.8 or something in same network. After that, perform “arp -a” to determine all the computing devices connected to the network

Note: You can find your broadcast IP in ifconfig output for corresponding network interface

You can use the following command to list connected clients after you ping your broadcast IP,

arp -a

This command will list most of the IPs found but it’s not that much accurate. Some times routers hide machines which are connected via wire to the machines which are connected via wifi network.

 

References

[1] https://nmap.org/book/man-host-discovery.html