Linux network namespaces are a Linux kernel feature allowing us to isolate network environments through virtualization. For example, using network namespaces, you can create separate network interfaces and routing tables that are isolated from the rest of the system and operate independently.

To understand namespaces easily, it is worth saying Linux namespaces are the basis of container technologies like Docker or Kubernetes.

For now, Linux includes 6 types of namespaces: pid, net, uts, mnt, ipc, and user. This tutorial focuses on Linux network namespaces.

If you command lsns, it will display all existing namespaces in your system, as shown in the image below.

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image1-32.png" data-lazy- height="699" src="data:image/svg xml,” width=”893″>

Note: The namespace used for this tutorial is named linuxhint; replace it with your namespace name.

Adding a Linux network namespace:

Managing network namespaces is done using the ip netns command followed by the proper options.

To create a network namespace in Linux, you need to execute the ip command followed by the netns (network namespace) option, the add option, and the new namespace name, as shown in the following screenshot. Then, the ip netns command can be run to show the existing network namespaces only. Remember to replace linuxhint with the name of your namespace.

ip netns add linuxhint

ip netns

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image3-31.png" data-lazy- height="263" src="data:image/svg xml,” width=”742″>

As you can see, a new namespace was created named linuxhint.

Network namespaces have their own interfaces, routing tables, loopback interface, iptables rules, etc. You need to create these resources for your namespace.

Creating loopback interface for the namespace:

To run commands within a network namespace, the syntax is the following.

ip netns exec <NameSpace> <command>

By default, the loopback interface is down. You need to execute the following command; as explained previously, the command below executes the ip link set dev lo up within the chosen namespace.

ip netns exec linuxhint ip link set dev lo up

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image2-31.png" data-lazy- height="207" src="data:image/svg xml,” width=”966″>

You can check if your loopback interface was added properly by running the following command:

ip netns exec linuxhint ip address

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image5-24.png" data-lazy- height="431" src="data:image/svg xml,” width=”1316″>

You also can ping your namespace loopback interface to test it, as shown below.

ip netns exec linuxhint ping 127.0.0.1

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image4-28.png" data-lazy- height="263" src="data:image/svg xml,” width=”952″>

Adding network interfaces to your namespace:

You can associate a hardware network card to your namespace, or you can add virtual network devices. By adding virtual network interfaces, you can allow connectivity between different namespaces. Virtual network devices are named veth (Virtual Ethernet Device).

To create a virtual network ethernet device, run the following command, where enp2s0 is the for the new device and v-peer1 its arbitrary name,  replace it with yours.

ip link add v-enp2s0 type veth peer name v-eth0

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image7-17.png" data-lazy- height="154" src="data:image/svg xml,” width=”941″>

Now assign the virtual device to your namespace by running the command below.

ip link set v-eth0 netns linuxhint

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image6-20.png" data-lazy- height="129" src="data:image/svg xml,” width=”768″>

Assign an ip address to the new network device as shown below.

ip -n linuxhint addr add 10.0.1.0/24 dev v-eth0

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image9-13.png" data-lazy- height="157" src="data:image/svg xml,” width=”956″>

By default, the network device is down; you need to set it up. To set your virtual network device up, run the following command.

ip -n linuxhint link set v-eth0 up

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image8-17.png" data-lazy- height="129" src="data:image/svg xml,” width=”797″>

As you can see in the screenshot below, the virtual device was added properly.

ip netns exec linuxhint sudo ifconfig

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image12-10.png" data-lazy- height="543" src="data:image/svg xml,” width=”1036″>

The example below shows how to assign a physical network card to your network namespace. In this case, the physical network card is the enp2s0.

ip link set dev enp2s0 netns linuxhint

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image10-12.png" data-lazy- height="146" src="data:image/svg xml,” width=”839″>

As you can see by running the example below, the network card was added properly. You can assign an IP address using the same commands explained previously.

ip netns exec linuxhint sudo ifconfig

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image11-11.png" data-lazy- height="564" src="data:image/svg xml,” width=”1022″>

As explained previously, each namespace has its own route table, IP, and more, including its own firewall rules. Adding firewall rules to your namespace is simple; just run the commands after ip netns exec linuxhint, as shown below. The example below will list iptables policies if existing.

ip netns exec linuxhint sudo iptables -L

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image13-7.png" data-lazy- height="403" src="data:image/svg xml,” width=”966″>

The following example shows the same but using UFW (Uncomplicated Firewall) instead of iptables. In this case, the firewall is reported as disabled.

ip netns exec linuxhint sudo ufw status

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image14-7.png" data-lazy- height="207" src="data:image/svg xml,” width=”882″>

Removing a Linux Network Namespace:

Removing network namespaces is pretty simple, like when adding them.

To remove a namespace, run the command below, replace linuxhint with your namespace.

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/image15-5.png" data-lazy- height="140" src="data:image/svg xml,” width=”669″>

As you can see, after running ip netns, no network namespace was shown; it was successfully removed.

Conclusion:

Linux namespaces are a formidable method to isolate processes, filesystems, networks, and more. This functionality allows us to execute instances independently. This is extremely useful for security purposes. Namespaces are containers whose contents are fully isolated from the rest of the system, including from other namespaces. In this way, we can run different services in different containers. If a namespace gets compromised under an attack, the rest of the system remains safe. Using Linux namespaces, you can offer multiple clients their environment; this feature is also great for testing purposes or to run software whose origin is suspicious; in case of executing a malicious code, only your namespace will be affected, leaving your device safe.

I hope this tutorial on Linux namespaces was useful. Keep following Linux Hint for more Linux tips and tutorials.

About the author

<img data-del="avatar" data-lazy-src="https://kirelos.com/wp-content/uploads/2021/09/echo/linuxinstitute_icono-150×150.png614a53e086cee.jpg" height="112" src="data:image/svg xml,” width=”112″>

David Adams

David Adams is a System Admin and writer that is focused on open source technologies, security software, and computer systems.