Linux Networking – Connect to Internet Through Network Namespace Without Default Route


I need to do a setup like this (with Linux):

  • I want to have a network namespace (let's say weth_ns) with a network interface connected to internet (weth0)
  • I want to have a different network interface as a default route in the host namespace (eth0)
  • I want to somehow be able to use things like curl, with some kind of interface, to transparently use the network inside that namespace to connect to internet.

So, like this.


I cannot seem to get it work. What I did so far:

ip netns add weth_ns
ip link set weth0 netns weth_ns
ip netns exec weth_ns ip link set dev weth0 up
ip netns exec weth_ns ip a # to see list to make sure it's there
ip netns exec weth_ns dhclient weth0

ip netns exec weth_ns curl # works as expected

This sets up the namespace and puts the interface there. That makes curl work inside the namespace. Now I want to somehow use the isolated namespace connection from the host.

What I tried to do is set up a bridge, and set up iptables inside the namespace. So what I run:

ip link add veth0_left type veth peer veth0_right
ip link add bridge0 type bridge
ip link set bridge0 up
ip addr add dev bridge0 # is address I came up with
ip link set veth0_left master bridge0 up 
ip link set dev veth0_right netns weth_ns
ip netns exec weth_ns ip link set dev veth0_right up
ip netns exec mobile_ns ip addr add dev veth0_right

This adds a brige; I can now successfully ping from namespace to namespace. So the bridge itself works.

ping # works
ip netns exec mobile_ns ping # works

And now I need to set up iptables to use the connection inside the namespace. I suspect this is where I do some kind of mistake. This is what I gathered from various online sources:

ip netns exec mobile_ns bash
# all following inside the namespace bash:
iptables -t nat -A POSTROUTING -s -o weth0 -j MASQUERADE
iptables -A FORWARD -i weth0 -o veth0_right -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o weth0 -i veth0_right -m state --state ESTABLISHED,RELATED -j ACCEPT

(all the involved networks have /proc/sys/net/ipv4/conf/<network>/forwarding set to 1. From both inside and outside of the namespace.)

And… it does not work. My network should look like this now; but I cannot connect through curl. With either veth0_left or bridge0 network interface.

diagram 2

I must be doing something wrong somewhere.


To specify what "does not work mean".

curl --interface bridge0
curl: (7) Failed to connect to port 80: No route to host
curl --interface veth0_left
curl: (7) Failed to connect to port 80: No route to host

When I try to see tcpdump, inside the namespace, I see who-has ARP requests, but only on the bridge interface. It seems to never "go" into the weth0 interface.

Best Answer

Ah. The thing is, curl --interface does not magically get around routing.

As explained here

Related Topic