Linux Network Namespaces

iptables-ns.sh

#!/bin/bash

flag_iptables=true
flag_dry_run=true

while getopts ":nf" arg; do
  case $arg in
    n) # Dry-run - does not preserve iptables rules.
      flag_dry_run=false
      ;;
    f) # Pass-through - does not run unshare step.
      flag_iptables=false
      ;;
  esac
done
shift $((OPTIND-1)); [[ "${1}" == "--" ]] && shift

if $flag_iptables ; then
  if $flag_dry_run ; then
    unshare -n -- $0 -f 4> >(sed 's/^/IPv4: /') 6> >(sed 's/^/IPv6: /')
  else
    unshare -n -- $0 -f 4> >(iptables-restore) 6> >(ip6tables-restore) && {
      sysctl -w net.ipv4.ip_forward=1
      sysctl -w net.ipv6.conf.all.forwarding=1
    }
  fi
  exit 0
fi

ip46tables() {
    iptables "$@"
    ip6tables "$@"
}

### ------------------ Default policy
ip46tables -P INPUT DROP
ip46tables -P FORWARD DROP
ip46tables -P OUTPUT ACCEPT

# Allow loopback traffic
ip46tables -A INPUT -i lo -j ACCEPT

# Allow some ICMP traffic
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 50/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 50/s -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

# Enable conntrack
ip46tables -A INPUT   -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip46tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# IPv6
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT

### ------------------ Logs
ip46tables -A INPUT   -m limit --limit 1/s -j LOG --log-level notice --log-prefix "DROP INPUT:   "
ip46tables -A FORWARD -m limit --limit 1/s -j LOG --log-level notice --log-prefix "DROP FORWARD: "

iptables-save >&4
ip6tables-save >&6

practice.sh

#!/bin/bash

trap cleanup EXIT

cleanup()
{
   ip link delete v-eth1 2>/dev/null
   rm -f /etc/netns/ns1/resolv.conf
}

ip netns del ns1 &> /dev/null
ip netns add ns1

mkdir -p /etc/netns/ns1
ln -s /run/systemd/resolve/resolv.conf /etc/netns/ns1/resolv.conf

ip link add v-eth1 type veth peer name v-peer1
ip link set v-peer1 netns ns1

ip addr add 100.20.1.1/24 dev v-eth1
ip link set v-eth1 up

ip netns exec ns1 ip addr add 100.20.1.2/24 dev v-peer1
ip netns exec ns1 ip link set v-peer1 up
ip netns exec ns1 ip link set lo up
ip netns exec ns1 ip route add default via 100.20.1.1

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
iptables -F FORWARD

# ip route | awk '/default/ { print $5; }'
iptables -t nat -F
iptables -t nat -A POSTROUTING -s 100.20.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i v-eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -o v-eth1 -i eth0 -j ACCEPT

ip netns exec ns1 ip route show
ip netns exec ns1 curl ifconfig.co

# ip netns exec ns1 /bin/bash --rcfile <(echo "PS1=\"namespace ns1> \"")

ip netns exec ns1 nc -l -s 127.0.0.1 -p 80 &
ip netns exec ns1 nc 127.0.0.1 80 -zv
kill %1

iptables -t nat -A PREROUTING ! -s 100.20.1.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 100.20.1.2
# iptables -t nat -A POSTROUTING -d 100.20.1.2/24 -j SNAT --to-source 100.20.1.1
# iptables -t nat -A OUTPUT -d 192.168.1.5 -p tcp -m tcp --dport 80 -j DNAT --to-destination 100.20.1.2

ip netns exec ns1 nc -l -s 100.20.1.2 -p 80 &
ip netns exec ns1 nc 100.20.1.2 80 -zv
nc -vz 192.168.1.5 80

run.sh

#!/bin/bash

#
# add 2 network namespaces
#
ip netns add red
ip netns add blue
ip netns

#
# view details
#
ip link
ip netns exec red ip link # ip -n red link

arp
ip netns exec red arp

route
ip netns exec red route

#
# 1-to-1 connection between namespaces
#
ip link add veth-red type veth peer name veth-blue
ip link set veth-red netns red
ip link set veth-blue netns blue

#
# add ips
#
ip -n red addr add 192.168.15.1 dev veth-red
ip -n blue addr add 192.168.15.2 dev veth-blue

#
# bring up
#
ip -n red link set veth-red up
ip -n blue link set veth-blue up

#
# add bridge
#
ip link add vnet0 type bridge
ip link set dev vnet0 up

#
# remove 1-to-1
#
ip -n red link set veth-red down
ip -n red link del veth-red

#
# add bridge interfaces
#
ip link add veth-red type veth peer name veth-red-br
ip link add veth-blue type veth peer name veth-blue-br

#
# add interface to bridge
#
ip link set veth-red netns red
ip link set veth-red-br master vnet0

#
# add interface to bridge
#
ip link set veth-blue netns blue
ip link set veth-blue-br master vnet0

#
# assign ips
#
ip -n red addr add 192.168.15.1 dev veth-red
ip -n blue addr add 192.168.15.2 dev veth-blue

#
# bring up
#
ip -n red link set veth-red up
ip -n blue link set veth-blue up

#
# assign ip to bridge
#
ip addr add 192.168.15.5/24 dev vnet0

#
# external host
#
ip netns exec blue ip route add 192.168.1.0/24 via 192.168.15.5

#
# nat to external host
#
iptables -t nat -A POSTROUTING -s 192.168.15.0/24 -j MASQUERADE

#
# default route
#
ip netns exec blue ip route add default via 192.168.15.5

#
# dnat to inside
#
iptables -t nat -A PREROUTING --dport 80 --to-destination 192.168.15.5:80 -j DNAT

#!/usr/bin/env bash
usage() { echo "$0 usage:" && grep "[[:space:]].)\ #" $0 | sed -r -e 's/#//' -e 's/([a-z])\)/-\1/'; exit 0; }
[ $# -eq 0 ] && usage
while getopts ":hs:p:" arg; do
  case $arg in
    p) # Specify p value.
      echo "p is ${OPTARG}"
      ;;
    s) # Specify strength, either 45 or 90.
      strength=${OPTARG}
      [[ "$strength" =~ ^[0-9]+$ ]] \
        && [ $strength -eq 45 -o $strength -eq 90 ] \
        && echo "Strength is $strength." \
        || echo "Strength needs to be either 45 or 90, $strength found instead."
      ;;
    h | *) # Display help.
      usage
      exit 0
      ;;
  esac
done
shift $((OPTIND-1)); [[ "${1}" == "--" ]] && shift

few links
https://blog.christophersmart.com/2020/03/15/using-network-namespaces-with-veth-to-nat-guests-with-overlapping-ips/
https://blog.laxu.de/2020/04/02/how-use-zoom-sandbox/

sandboxes
https://github.com/netblue30/firejail
https://github.com/containers/bubblewrap

https://www.gilesthomas.com/2021/03/fun-with-network-namespaces