Network namespaces – part 1

Linux namespaces are a relatively new kernel feature which is essential for implementation of containers. A namespace wraps a global system resource into an abstraction which will be bound only to processes within the namespace, providing resource isolation. In this article I discuss network namespace and show a practical example.

What is namespace?

A namespace is a way of scoping a particular set of identifiers. Using a namespace, you can use the same identifier multiple times in different namespaces. You can also restrict an identifier set visible to particular processes.

For example, Linux provides namespaces for networking and processes, among other things. If a process is running within a process namespace, it can only see and communicate with other processes in the same namespace. So, if a shell in a particular process namespace ran ps waux, it would only show the other processes in the same namespace.

Linux network namespaces

In a network namespace, the scoped ‘identifiers’ are network devices; so a given network device, such as eth0, exists in a particular namespace. Linux starts up with a default network namespace, so if your operating system does not do anything special, that is where all the network devices will be located. But it is also possible to create further non-default namespaces, and create new devices in those namespaces, or to move an existing device from one namespace to another.

Each network namespace also has its own routing table, and in fact this is the main reason for namespaces to exist. A routing table is keyed by destination IP address, so network namespaces are what you need if you want the same destination IP address to mean different things at different times – which is something that OpenStack Networking requires for its feature of providing overlapping IP addresses in different virtual networks.

Each network namespace also has its own set of iptables (for both IPv4 and IPv6). So, you can apply different security to flows with the same IP addressing in different namespaces, as well as different routing.

Any given Linux process runs in a particular network namespace. By default this is inherited from its parent process, but a process with the right capabilities can switch itself into a different namespace; in practice this is mostly done using the ip netns exec NETNS COMMAND… invocation, which starts COMMAND running in the namespace named NETNS. Suppose such a process sends out a message to IP address A.B.C.D, the effect of the namespace is that A.B.C.D will be looked up in that namespace’s routing table, and that will determine the network device that the message is transmitted through.

Lets play with ip namespaces

By convention a named network namespace is an object at /var/run/netns/NAME that can be opened. The file descriptor resulting from opening /var/run/netns/NAME refers to the specified network namespace.

create a namespace

power up loopback device

open up a namespace shell

now we can use this shell like user shell where it uses ns1 namespace only

 

In part-2  , I will explain how to connect to internet from ns1 namespace and adding custom routes.

How to assign IP to network interface command line in linux

This article objective is provide you the way to assign the IP address to the network interface from the command line.

You can see the available network interfaces on your machine by using the simple command ifconfig

You can find the interfaces and their names and you can identify the name which is  preceded by colon(:) in the left side. Something like eth0, lo and wlan0 etc.  The network interface lo interface is the special interface where we called it as localhost and special IP assigned to it 127.0.0.1 also called loopback IP.

Do you know? you can assign multiple IPs to single network interface. This is pretty useful when you need multiple IP addresses but you have only one network card.

We created new interface alias with IP assigned. We can do it simply by giving colon(:) and alias number.

Assign IP using ifconfig

This command will assign the specified IP to the give network interface. It is not a persistent change. The would change after reboot.

 

Get IP using dhclient

The program dhclient will get you the IP to the given interface using the Dynamic Host Configuration Protocol (DHCP). The IP which will be assigned to the given network interface which will be provided by gateway or router. If you won’t have any preference of having specific IP assigned to the network card, this can be used

 

Assign static IP

The IP we assigned above is not a persistent or static IP. Means you will lose that IP and will get an other different IP assigned after reboot. To make this IP permanent we have to edit the configuration files.

Ubuntu /etc/network/interfaces

 

CentOS /etc/sysconfig/network-scripts/ifcfg-eth0

Unlike the distribution Debian, CentOS maintains the configuration in a separate file for each interface. The  file path would be something like  /etc/sysconfig/network-scripts/ifcfg-<interface_name>.

 

How to check routes (routing table) in linux

The route is nothing but a path or way to the specific or range of destination IP addresses. Linux kernel maintains these routes called as kernel routing table and will route the traffic accordingly.

You can use any one of them to display the routing table

route
netstat
ip

Command route

The command route is used to modify and check the existing routes. To check the routing table using route command,

This will display the list of routes currently configured

Command: route -n 

This will give the output with out resolving the names

Command netstat

This command gives the statistics about the network. With this command you can do more than just printing routing table,

Print network connections,
routing tables,
interface statistics,
masquerade connections,  and
multicast memberships

To check the routing table,

Command: nestat -rn

Where

Option -r  is to display the routing table

Option -n is not to resolve the names. Print the IP addresses only

Command IP

To check routing table using command ip 

Command: ip route list

To find hops, route of the destination and how your machine is reaching the destination you use tracepath

Where you can replace howto.lintel.in with specific domain or IP address.

 

How to list IP addresses of all connected machines in local network

If you want to list valid connected IPs in your local network, you can do it by logging into your router if you have a password, else you can check  connected client IPs command line  using either of the following two commands.

namp
arp

Let’s see, how you can list connected systems IPs in your netowrk using these commands

List IPs using command namp

Basically this command namp is used to scan networks. It is most widely  used as port scanner. You can do many things with this command.

Auditing the security of a device or firewall by identifying the network

Identifying open ports on a target host

Network i maintenance and asset management.

Generating traffic to hosts on a network, response analysis and response time measurement.

Find and exploit vulnerabilities in a network

Ok, lets come to main thing listing IPs of connected systems in network

nmap -sP 192.168.1.*

Where,  you have to specify the IP range or subnet to scan to get the list of connected hosts. Options -sP  no port scan based on your version you can also use option -sn .

Warning:  Do not performs scans on a network without proper authorization.

List IPs using command arp

Basically arp is the protocol which stands for Address Resolution Protocol. Many linux boxes are loaded with command arp

Ping your network using a broadcast address i.e. “ping 192.168.2.255” if your IP is 192.168.2.8 or something in same network. After that, perform “arp -a” to determine all the computing devices connected to the network

Note: You can find your broadcast IP in ifconfig output for corresponding network interface

You can use the following command to list connected clients after you ping your broadcast IP,

arp -a

This command will list most of the IPs found but it’s not that much accurate. Some times routers hide machines which are connected via wire to the machines which are connected via wifi network.

 

References

[1] https://nmap.org/book/man-host-discovery.html