The Basics of Network Namespace in Linux Explained

Neeraj GuptaNeeraj Gupta
4 min read

A network namespace in Linux is like creating separate "mini-networks" within the same Linux system. Imagine you have one computer but you want it to act like several isolated machines with their network settings, IP addresses, and interfaces. A network namespace does exactly that by providing each namespace with its unique network stack, including its own IP routing tables, firewall rules, and interfaces.

A single Linux machine can behave as if it has multiple, isolated networks running independently.

Pros:

  1. Isolation: Each namespace is isolated, so changes in one namespace don’t affect the others. This is especially useful for testing different network setups or running applications in isolated environments.

  2. Usage: Commonly used in container technology (like Docker) to ensure each container has its network environment.

As a demonstration…

I’m using the Ubuntu distribution and Linux Bridge (the native solution to create a virtual switch for the namespaces).
In this example, we are creating 2 namespaces connecting them through a virtual switch, and isolating them from the host network.

  • Create two network namespaces.
    Creating the two network namespaces called web-ns & db-ns.
    ip netns add web-ns
    ip netns add db-ns
    Verify that the network namespace has been created,
    ip netns

  • Create an Internal bridge switch on the host for a namespace.
    Creating the bridge network on the host called vnet-0.
    ip link add vnet-0 type bridge
    Verify that the bridge network has been created.
    ip link

  • Assign the IP to the bridge network.
    The bridge switch is a network interface for the host, so we need to assign the IP to that interface.
    We are using the following CIDR range for this bridge network hence, assigning the following IP in the vnet-0 interface on the host.
    CIDR: 192.168.15.0/24
    ip addr add 192.168.15.1/24 dev vnet-0
    Verify the same using the following command.
    ip addr show dev vnet-0

  • Create the virtual ethernet pair (virtual cable).
    A virtual ethernet pair consists of two interconnected virtual network interfaces that act like a cable connecting two network namespaces or containers.
    These are virtual network cables that will connect the namespaces to the bridge.
    ip link add eth0-web type veth peer name veth-web-br
    ip link add eth0-db type veth peer name veth-db-br

  • Attach interfaces to the namespaces and the bridge.
    Connects one end of each virtual Ethernet pair to the respective namespace, and the other end to the bridge. The eth0-web goes to web-ns, and eth0-db goes to db-ns.
    ip link set eth0-web netns web-ns
    ip link set veth-web-br master vnet-0
    ip link set eth0-db netns db-ns
    ip link set veth-db-br master vnet-0
    This establishes the network connections so that the namespaces can communicate with the bridge, and through it, each other.

  • Activates the virtual interfaces on the bridge side.
    The interfaces need to be active for the network communication to work.
    ip link set dev veth-web-br up
    ip link set dev veth-db-br up

  • Assign IP addresses to the interfaces inside the namespaces.
    Considering the above CIDR, use the following IP to the interface, and then activate the interfaces inside the namespaces.
    ip -n web-ns addr add 192.168.15.5/24 dev eth0-web
    ip -n web-ns link set dev eth0-web up
    ip -n db-ns addr add 192.168.15.6/24 dev eth0-db
    ip -n db-ns link set dev eth0-db up
    Verify the interface IP and route inside the namespaces.
    ip -n web-ns addr
    ip netns exec web-ns route
    ip -n db-ns addr
    ip netns exec db-ns route

  • Test connectivity between namespaces.
    Pings from one namespace to the other to check if they can reach each other.
    ip netns exec web-ns ping 192.168.15.6
    ip netns exec db-ns ping 192.168.15.5
    This tests the network connection between the two namespaces to make sure everything is working so far.

  • Configure the default gateway in both namespaces.
    Adds a default route in both namespaces, directing all traffic to the bridge (192.168.15.1).
    ip netns exec web-ns ip route add default via 192.168.15.1
    ip netns exec db-ns ip route add default via 192.168.15.1
    This allows the namespaces to access the internet (or any external network) by routing their traffic through the bridge.
    Verify the routes in the respective namespaces.
    ip netns exec web-ns ip route
    ip netns exec db-ns ip route

  • Set up NAT (Network Address Translation) on the host.
    Adds an iptables rule to enable NAT, which allows the namespaces to access external networks (like the internet) by modifying the source address of the packets.
    Without this, the namespaces would not be able to access the internet. NAT makes the traffic appear as if it’s coming from the host machine.
    iptables -t nat -A POSTROUTING -s 192.168.15.0/24 -j MASQUERADE
    Verify the iptables rules with the following command.
    iptables -t nat -L -v

Conclusion

Network namespaces in Linux provide a powerful and flexible mechanism to isolate and manage networking resources in a virtualized environment. By creating different network namespaces, you can simulate separate, independent network stacks on the same physical host. This is particularly useful for containerization, multi-tenant environments, and network testing.

Github: https://github.com/minex970/linux-basics/tree/main/networking

2
Subscribe to my newsletter

Read articles from Neeraj Gupta directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Neeraj Gupta
Neeraj Gupta