Bind unix program to specific network interface
Question:
How do I launch a program while ensuring that its network access is bound via a specific network interface?
Case:
I want to access two distinct machines with the same IP (192.168.1.1), but accessible via two different network interfaces (eth1 and eth2).
Example:
net-bind -D eth1 -exec {Program 192.168.1.1}
net-bind -D eth2 -exec {Program 192.168.1.1}
The above is an approximation of what I'd like, inspired by the hardware binding done via primusrun and optirun.
Challenge: As suggested in a related thread, the interfaces used are not chosen by the program, but rather by the kernel (Hence the pre-binding syntax in the above example).
I've found some related solutions, which are unsatisfactory. They are based on binding network interfaces via user-specific network blacklisting; i.e., running the process as a user which can only access a single specific network interface.
routing network-interface
|
show 5 more comments
Question:
How do I launch a program while ensuring that its network access is bound via a specific network interface?
Case:
I want to access two distinct machines with the same IP (192.168.1.1), but accessible via two different network interfaces (eth1 and eth2).
Example:
net-bind -D eth1 -exec {Program 192.168.1.1}
net-bind -D eth2 -exec {Program 192.168.1.1}
The above is an approximation of what I'd like, inspired by the hardware binding done via primusrun and optirun.
Challenge: As suggested in a related thread, the interfaces used are not chosen by the program, but rather by the kernel (Hence the pre-binding syntax in the above example).
I've found some related solutions, which are unsatisfactory. They are based on binding network interfaces via user-specific network blacklisting; i.e., running the process as a user which can only access a single specific network interface.
routing network-interface
Are you implying that your machine is connected to two different networks, both 192.168.1.0? What does your routing table look like? If you want to restrict the interfaces visible from a process, the lightest solution would be cgroups, a heavier one containers.
– lgeorget
Jun 20 '15 at 12:41
Yes, two different networks, both on the same IP range. I'm not certain I wan't to restrict the visible interfaces, just dictate which one to use as default? :)
– Skeen
Jun 20 '15 at 15:05
2
What you ask is difficult for one good reason: having two networks interconnected using the same IP domain is like having an elevator in a building with two floors with the same number. The IP range is what identifies the domain not the output interface. Nevertheless there must be a way to work around your flawed network design with iptables.
– lgeorget
Jun 20 '15 at 16:50
I'm connecting my system to two different in-place infrastructures, as such the infrastructures were never designed to interact, and hence the network design is flawed in that regards.
– Skeen
Jun 21 '15 at 1:41
1
My argument towards NATs was that entire address spaces are usually hidden behind the NAT, and as I'm connecting two NAT'ted infrastructures the collision occurs. - I'm not in any position to modify the infrastructure. - I tried using network namespaces with virtual network interfaces pairs (one in the namespace, one in the root namespace) bridging the root namespace one to physical interface, and running programs within the network namespace. - This seems to be working, but I'm not getting access beyond the root namespace (i.e. no access outside the machine itself).
– Skeen
Jun 21 '15 at 9:13
|
show 5 more comments
Question:
How do I launch a program while ensuring that its network access is bound via a specific network interface?
Case:
I want to access two distinct machines with the same IP (192.168.1.1), but accessible via two different network interfaces (eth1 and eth2).
Example:
net-bind -D eth1 -exec {Program 192.168.1.1}
net-bind -D eth2 -exec {Program 192.168.1.1}
The above is an approximation of what I'd like, inspired by the hardware binding done via primusrun and optirun.
Challenge: As suggested in a related thread, the interfaces used are not chosen by the program, but rather by the kernel (Hence the pre-binding syntax in the above example).
I've found some related solutions, which are unsatisfactory. They are based on binding network interfaces via user-specific network blacklisting; i.e., running the process as a user which can only access a single specific network interface.
routing network-interface
Question:
How do I launch a program while ensuring that its network access is bound via a specific network interface?
Case:
I want to access two distinct machines with the same IP (192.168.1.1), but accessible via two different network interfaces (eth1 and eth2).
Example:
net-bind -D eth1 -exec {Program 192.168.1.1}
net-bind -D eth2 -exec {Program 192.168.1.1}
The above is an approximation of what I'd like, inspired by the hardware binding done via primusrun and optirun.
Challenge: As suggested in a related thread, the interfaces used are not chosen by the program, but rather by the kernel (Hence the pre-binding syntax in the above example).
I've found some related solutions, which are unsatisfactory. They are based on binding network interfaces via user-specific network blacklisting; i.e., running the process as a user which can only access a single specific network interface.
routing network-interface
routing network-interface
edited Apr 13 '17 at 12:36
Community♦
1
1
asked Jun 20 '15 at 11:22
Skeen
3711310
3711310
Are you implying that your machine is connected to two different networks, both 192.168.1.0? What does your routing table look like? If you want to restrict the interfaces visible from a process, the lightest solution would be cgroups, a heavier one containers.
– lgeorget
Jun 20 '15 at 12:41
Yes, two different networks, both on the same IP range. I'm not certain I wan't to restrict the visible interfaces, just dictate which one to use as default? :)
– Skeen
Jun 20 '15 at 15:05
2
What you ask is difficult for one good reason: having two networks interconnected using the same IP domain is like having an elevator in a building with two floors with the same number. The IP range is what identifies the domain not the output interface. Nevertheless there must be a way to work around your flawed network design with iptables.
– lgeorget
Jun 20 '15 at 16:50
I'm connecting my system to two different in-place infrastructures, as such the infrastructures were never designed to interact, and hence the network design is flawed in that regards.
– Skeen
Jun 21 '15 at 1:41
1
My argument towards NATs was that entire address spaces are usually hidden behind the NAT, and as I'm connecting two NAT'ted infrastructures the collision occurs. - I'm not in any position to modify the infrastructure. - I tried using network namespaces with virtual network interfaces pairs (one in the namespace, one in the root namespace) bridging the root namespace one to physical interface, and running programs within the network namespace. - This seems to be working, but I'm not getting access beyond the root namespace (i.e. no access outside the machine itself).
– Skeen
Jun 21 '15 at 9:13
|
show 5 more comments
Are you implying that your machine is connected to two different networks, both 192.168.1.0? What does your routing table look like? If you want to restrict the interfaces visible from a process, the lightest solution would be cgroups, a heavier one containers.
– lgeorget
Jun 20 '15 at 12:41
Yes, two different networks, both on the same IP range. I'm not certain I wan't to restrict the visible interfaces, just dictate which one to use as default? :)
– Skeen
Jun 20 '15 at 15:05
2
What you ask is difficult for one good reason: having two networks interconnected using the same IP domain is like having an elevator in a building with two floors with the same number. The IP range is what identifies the domain not the output interface. Nevertheless there must be a way to work around your flawed network design with iptables.
– lgeorget
Jun 20 '15 at 16:50
I'm connecting my system to two different in-place infrastructures, as such the infrastructures were never designed to interact, and hence the network design is flawed in that regards.
– Skeen
Jun 21 '15 at 1:41
1
My argument towards NATs was that entire address spaces are usually hidden behind the NAT, and as I'm connecting two NAT'ted infrastructures the collision occurs. - I'm not in any position to modify the infrastructure. - I tried using network namespaces with virtual network interfaces pairs (one in the namespace, one in the root namespace) bridging the root namespace one to physical interface, and running programs within the network namespace. - This seems to be working, but I'm not getting access beyond the root namespace (i.e. no access outside the machine itself).
– Skeen
Jun 21 '15 at 9:13
Are you implying that your machine is connected to two different networks, both 192.168.1.0? What does your routing table look like? If you want to restrict the interfaces visible from a process, the lightest solution would be cgroups, a heavier one containers.
– lgeorget
Jun 20 '15 at 12:41
Are you implying that your machine is connected to two different networks, both 192.168.1.0? What does your routing table look like? If you want to restrict the interfaces visible from a process, the lightest solution would be cgroups, a heavier one containers.
– lgeorget
Jun 20 '15 at 12:41
Yes, two different networks, both on the same IP range. I'm not certain I wan't to restrict the visible interfaces, just dictate which one to use as default? :)
– Skeen
Jun 20 '15 at 15:05
Yes, two different networks, both on the same IP range. I'm not certain I wan't to restrict the visible interfaces, just dictate which one to use as default? :)
– Skeen
Jun 20 '15 at 15:05
2
2
What you ask is difficult for one good reason: having two networks interconnected using the same IP domain is like having an elevator in a building with two floors with the same number. The IP range is what identifies the domain not the output interface. Nevertheless there must be a way to work around your flawed network design with iptables.
– lgeorget
Jun 20 '15 at 16:50
What you ask is difficult for one good reason: having two networks interconnected using the same IP domain is like having an elevator in a building with two floors with the same number. The IP range is what identifies the domain not the output interface. Nevertheless there must be a way to work around your flawed network design with iptables.
– lgeorget
Jun 20 '15 at 16:50
I'm connecting my system to two different in-place infrastructures, as such the infrastructures were never designed to interact, and hence the network design is flawed in that regards.
– Skeen
Jun 21 '15 at 1:41
I'm connecting my system to two different in-place infrastructures, as such the infrastructures were never designed to interact, and hence the network design is flawed in that regards.
– Skeen
Jun 21 '15 at 1:41
1
1
My argument towards NATs was that entire address spaces are usually hidden behind the NAT, and as I'm connecting two NAT'ted infrastructures the collision occurs. - I'm not in any position to modify the infrastructure. - I tried using network namespaces with virtual network interfaces pairs (one in the namespace, one in the root namespace) bridging the root namespace one to physical interface, and running programs within the network namespace. - This seems to be working, but I'm not getting access beyond the root namespace (i.e. no access outside the machine itself).
– Skeen
Jun 21 '15 at 9:13
My argument towards NATs was that entire address spaces are usually hidden behind the NAT, and as I'm connecting two NAT'ted infrastructures the collision occurs. - I'm not in any position to modify the infrastructure. - I tried using network namespaces with virtual network interfaces pairs (one in the namespace, one in the root namespace) bridging the root namespace one to physical interface, and running programs within the network namespace. - This seems to be working, but I'm not getting access beyond the root namespace (i.e. no access outside the machine itself).
– Skeen
Jun 21 '15 at 9:13
|
show 5 more comments
2 Answers
2
active
oldest
votes
For Linux, this has already been answered on Superuser - How to use different network interfaces for different processes?.
The most popular answer uses an LD_PRELOAD
trick to change the network binding for a program, but modern kernels support a much more flexible feature called 'network namespaces' which is exposed through the ip
program. This answer shows how to use this. From my own experiments I have done the following (as root):
# Add a new namespace called test_ns
ip netns add test_ns
# Set test to use eth0, after this point eth0 is not usable by programs
# outside the namespace
ip link set eth0 netns test_ns
# Bring up eth0 inside test_ns
ip netns exec test_ns ip link set eth0 up
# Use dhcp to get an ipv4 address for eth0
ip netns exec test_ns dhclient eth0
# Ping google from inside the namespace
ip netns exec test_ns ping www.google.co.uk
It is also possible to manage network namespaces to some extent with the unshare
and nsenter
commands. This allows you to also create separate spaces for PIDs, users and mount points. For some more information see:
- Reliable way to jail child processes using `nsenter:`
- Namespaces in operation
"after this point eth0 is not usable by programs outside the namespace" - So I'm pulling down the connection for all other problems in doing this?
– Skeen
Jun 20 '15 at 15:11
1
@Skeen, yes, so presumably you would push an interface that no other programs are using into the namespace and use your main one normally.
– Graeme
Jun 20 '15 at 15:19
1
@Graerne; Both interfaces are being used actively; I cannot afford taking down the interfaces.
– Skeen
Jun 20 '15 at 15:23
and what with default gateway?wvdial
for example doesn't seem to set it up at all... so it has to be defined in namespace itself
– Flash Thunder
Feb 29 '16 at 8:27
add a comment |
I'm accepting Graeme's answer; this is simply a follow up to explain the changes I did to his suggestion to solve my issue.
Instead of binding the physical interface inside the namespace, I created a virtual network interface pair, with one end in the network namespace and one in the root. Packages are then routed via this virtual network from the namespace, to the root namespace and then to the physical interface.
- As such I'm able to run all my ordinary data transfers, and in addition start processes which can only access a specific interface.
# Create the eth0 network namespace
ip netns add eth0_ns
# Create the virtual network pair
ip link add v_eth0a type veth peer name v_eth0b
# Move v_eth0a to the eth0_ns namespace, the virtual pair is now split
# between two network namespaces.
ip link set v_eth0a netns eth0_ns
# Configure the ends of the virtual network pairs
ip netns exec eth0_ns ifconfig v_eth0a up {{NAMESPACE_IP}} netmask {{NAMESPACE_NETMASK}}
ifconfig v_eth0b up {{ROOT_NS_IP}} netmask {{ROOT_NS_NETMASK}}
# Setup routing from namespace to root
ip netns exec eth0_ns route add default gw {{ROOT_NS_IP}} dev v_eth0a
# Setup IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s {{ROUTE_SOURCE}}/24 -o {{NETWORK_INTERFACE}} -j SNAT --to-source {{ROUTE_TARGET}}
Once the interfaces has been setup for eth0 and eth1, with their respective namespaces eth0_ns and eth1_ns, programs can be executed on the specified interface via;
ip netns exec eth0_ns fish
ip netns exec eth1_ns fish
3
Well done! I think you can also create a bridge device and bridge the default namespace and of the virtual pair with one of the physical devices. This looks equivalent though.
– Graeme
Jun 21 '15 at 10:03
I did try bridging the virtual and physical device; I wasn't able to reach the external network using that solution.
– Skeen
Jun 23 '15 at 13:52
1
I did, but only from the new namespace. I think the issue I was having was related to network manager, I didn't figure it out though or I would have updated my answer.
– Graeme
Jun 23 '15 at 14:10
I have the same issue, but I failed to use that solution. What exactly should I enter in {{ROUTE_SOURCE}} and {{ROUTE_TARGET}} in the last step?
– litov
Dec 4 '16 at 12:18
@Graeme, at least on Ubuntu I was able to get connectivity back in both the namespace as well as the global namespace by issuingdhclient <bridge>
per here.
– Chris Hunt
Mar 26 '17 at 18:46
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f210982%2fbind-unix-program-to-specific-network-interface%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
For Linux, this has already been answered on Superuser - How to use different network interfaces for different processes?.
The most popular answer uses an LD_PRELOAD
trick to change the network binding for a program, but modern kernels support a much more flexible feature called 'network namespaces' which is exposed through the ip
program. This answer shows how to use this. From my own experiments I have done the following (as root):
# Add a new namespace called test_ns
ip netns add test_ns
# Set test to use eth0, after this point eth0 is not usable by programs
# outside the namespace
ip link set eth0 netns test_ns
# Bring up eth0 inside test_ns
ip netns exec test_ns ip link set eth0 up
# Use dhcp to get an ipv4 address for eth0
ip netns exec test_ns dhclient eth0
# Ping google from inside the namespace
ip netns exec test_ns ping www.google.co.uk
It is also possible to manage network namespaces to some extent with the unshare
and nsenter
commands. This allows you to also create separate spaces for PIDs, users and mount points. For some more information see:
- Reliable way to jail child processes using `nsenter:`
- Namespaces in operation
"after this point eth0 is not usable by programs outside the namespace" - So I'm pulling down the connection for all other problems in doing this?
– Skeen
Jun 20 '15 at 15:11
1
@Skeen, yes, so presumably you would push an interface that no other programs are using into the namespace and use your main one normally.
– Graeme
Jun 20 '15 at 15:19
1
@Graerne; Both interfaces are being used actively; I cannot afford taking down the interfaces.
– Skeen
Jun 20 '15 at 15:23
and what with default gateway?wvdial
for example doesn't seem to set it up at all... so it has to be defined in namespace itself
– Flash Thunder
Feb 29 '16 at 8:27
add a comment |
For Linux, this has already been answered on Superuser - How to use different network interfaces for different processes?.
The most popular answer uses an LD_PRELOAD
trick to change the network binding for a program, but modern kernels support a much more flexible feature called 'network namespaces' which is exposed through the ip
program. This answer shows how to use this. From my own experiments I have done the following (as root):
# Add a new namespace called test_ns
ip netns add test_ns
# Set test to use eth0, after this point eth0 is not usable by programs
# outside the namespace
ip link set eth0 netns test_ns
# Bring up eth0 inside test_ns
ip netns exec test_ns ip link set eth0 up
# Use dhcp to get an ipv4 address for eth0
ip netns exec test_ns dhclient eth0
# Ping google from inside the namespace
ip netns exec test_ns ping www.google.co.uk
It is also possible to manage network namespaces to some extent with the unshare
and nsenter
commands. This allows you to also create separate spaces for PIDs, users and mount points. For some more information see:
- Reliable way to jail child processes using `nsenter:`
- Namespaces in operation
"after this point eth0 is not usable by programs outside the namespace" - So I'm pulling down the connection for all other problems in doing this?
– Skeen
Jun 20 '15 at 15:11
1
@Skeen, yes, so presumably you would push an interface that no other programs are using into the namespace and use your main one normally.
– Graeme
Jun 20 '15 at 15:19
1
@Graerne; Both interfaces are being used actively; I cannot afford taking down the interfaces.
– Skeen
Jun 20 '15 at 15:23
and what with default gateway?wvdial
for example doesn't seem to set it up at all... so it has to be defined in namespace itself
– Flash Thunder
Feb 29 '16 at 8:27
add a comment |
For Linux, this has already been answered on Superuser - How to use different network interfaces for different processes?.
The most popular answer uses an LD_PRELOAD
trick to change the network binding for a program, but modern kernels support a much more flexible feature called 'network namespaces' which is exposed through the ip
program. This answer shows how to use this. From my own experiments I have done the following (as root):
# Add a new namespace called test_ns
ip netns add test_ns
# Set test to use eth0, after this point eth0 is not usable by programs
# outside the namespace
ip link set eth0 netns test_ns
# Bring up eth0 inside test_ns
ip netns exec test_ns ip link set eth0 up
# Use dhcp to get an ipv4 address for eth0
ip netns exec test_ns dhclient eth0
# Ping google from inside the namespace
ip netns exec test_ns ping www.google.co.uk
It is also possible to manage network namespaces to some extent with the unshare
and nsenter
commands. This allows you to also create separate spaces for PIDs, users and mount points. For some more information see:
- Reliable way to jail child processes using `nsenter:`
- Namespaces in operation
For Linux, this has already been answered on Superuser - How to use different network interfaces for different processes?.
The most popular answer uses an LD_PRELOAD
trick to change the network binding for a program, but modern kernels support a much more flexible feature called 'network namespaces' which is exposed through the ip
program. This answer shows how to use this. From my own experiments I have done the following (as root):
# Add a new namespace called test_ns
ip netns add test_ns
# Set test to use eth0, after this point eth0 is not usable by programs
# outside the namespace
ip link set eth0 netns test_ns
# Bring up eth0 inside test_ns
ip netns exec test_ns ip link set eth0 up
# Use dhcp to get an ipv4 address for eth0
ip netns exec test_ns dhclient eth0
# Ping google from inside the namespace
ip netns exec test_ns ping www.google.co.uk
It is also possible to manage network namespaces to some extent with the unshare
and nsenter
commands. This allows you to also create separate spaces for PIDs, users and mount points. For some more information see:
- Reliable way to jail child processes using `nsenter:`
- Namespaces in operation
edited Apr 13 '17 at 12:36
Community♦
1
1
answered Jun 20 '15 at 13:16
Graeme
24.9k46396
24.9k46396
"after this point eth0 is not usable by programs outside the namespace" - So I'm pulling down the connection for all other problems in doing this?
– Skeen
Jun 20 '15 at 15:11
1
@Skeen, yes, so presumably you would push an interface that no other programs are using into the namespace and use your main one normally.
– Graeme
Jun 20 '15 at 15:19
1
@Graerne; Both interfaces are being used actively; I cannot afford taking down the interfaces.
– Skeen
Jun 20 '15 at 15:23
and what with default gateway?wvdial
for example doesn't seem to set it up at all... so it has to be defined in namespace itself
– Flash Thunder
Feb 29 '16 at 8:27
add a comment |
"after this point eth0 is not usable by programs outside the namespace" - So I'm pulling down the connection for all other problems in doing this?
– Skeen
Jun 20 '15 at 15:11
1
@Skeen, yes, so presumably you would push an interface that no other programs are using into the namespace and use your main one normally.
– Graeme
Jun 20 '15 at 15:19
1
@Graerne; Both interfaces are being used actively; I cannot afford taking down the interfaces.
– Skeen
Jun 20 '15 at 15:23
and what with default gateway?wvdial
for example doesn't seem to set it up at all... so it has to be defined in namespace itself
– Flash Thunder
Feb 29 '16 at 8:27
"after this point eth0 is not usable by programs outside the namespace" - So I'm pulling down the connection for all other problems in doing this?
– Skeen
Jun 20 '15 at 15:11
"after this point eth0 is not usable by programs outside the namespace" - So I'm pulling down the connection for all other problems in doing this?
– Skeen
Jun 20 '15 at 15:11
1
1
@Skeen, yes, so presumably you would push an interface that no other programs are using into the namespace and use your main one normally.
– Graeme
Jun 20 '15 at 15:19
@Skeen, yes, so presumably you would push an interface that no other programs are using into the namespace and use your main one normally.
– Graeme
Jun 20 '15 at 15:19
1
1
@Graerne; Both interfaces are being used actively; I cannot afford taking down the interfaces.
– Skeen
Jun 20 '15 at 15:23
@Graerne; Both interfaces are being used actively; I cannot afford taking down the interfaces.
– Skeen
Jun 20 '15 at 15:23
and what with default gateway?
wvdial
for example doesn't seem to set it up at all... so it has to be defined in namespace itself– Flash Thunder
Feb 29 '16 at 8:27
and what with default gateway?
wvdial
for example doesn't seem to set it up at all... so it has to be defined in namespace itself– Flash Thunder
Feb 29 '16 at 8:27
add a comment |
I'm accepting Graeme's answer; this is simply a follow up to explain the changes I did to his suggestion to solve my issue.
Instead of binding the physical interface inside the namespace, I created a virtual network interface pair, with one end in the network namespace and one in the root. Packages are then routed via this virtual network from the namespace, to the root namespace and then to the physical interface.
- As such I'm able to run all my ordinary data transfers, and in addition start processes which can only access a specific interface.
# Create the eth0 network namespace
ip netns add eth0_ns
# Create the virtual network pair
ip link add v_eth0a type veth peer name v_eth0b
# Move v_eth0a to the eth0_ns namespace, the virtual pair is now split
# between two network namespaces.
ip link set v_eth0a netns eth0_ns
# Configure the ends of the virtual network pairs
ip netns exec eth0_ns ifconfig v_eth0a up {{NAMESPACE_IP}} netmask {{NAMESPACE_NETMASK}}
ifconfig v_eth0b up {{ROOT_NS_IP}} netmask {{ROOT_NS_NETMASK}}
# Setup routing from namespace to root
ip netns exec eth0_ns route add default gw {{ROOT_NS_IP}} dev v_eth0a
# Setup IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s {{ROUTE_SOURCE}}/24 -o {{NETWORK_INTERFACE}} -j SNAT --to-source {{ROUTE_TARGET}}
Once the interfaces has been setup for eth0 and eth1, with their respective namespaces eth0_ns and eth1_ns, programs can be executed on the specified interface via;
ip netns exec eth0_ns fish
ip netns exec eth1_ns fish
3
Well done! I think you can also create a bridge device and bridge the default namespace and of the virtual pair with one of the physical devices. This looks equivalent though.
– Graeme
Jun 21 '15 at 10:03
I did try bridging the virtual and physical device; I wasn't able to reach the external network using that solution.
– Skeen
Jun 23 '15 at 13:52
1
I did, but only from the new namespace. I think the issue I was having was related to network manager, I didn't figure it out though or I would have updated my answer.
– Graeme
Jun 23 '15 at 14:10
I have the same issue, but I failed to use that solution. What exactly should I enter in {{ROUTE_SOURCE}} and {{ROUTE_TARGET}} in the last step?
– litov
Dec 4 '16 at 12:18
@Graeme, at least on Ubuntu I was able to get connectivity back in both the namespace as well as the global namespace by issuingdhclient <bridge>
per here.
– Chris Hunt
Mar 26 '17 at 18:46
add a comment |
I'm accepting Graeme's answer; this is simply a follow up to explain the changes I did to his suggestion to solve my issue.
Instead of binding the physical interface inside the namespace, I created a virtual network interface pair, with one end in the network namespace and one in the root. Packages are then routed via this virtual network from the namespace, to the root namespace and then to the physical interface.
- As such I'm able to run all my ordinary data transfers, and in addition start processes which can only access a specific interface.
# Create the eth0 network namespace
ip netns add eth0_ns
# Create the virtual network pair
ip link add v_eth0a type veth peer name v_eth0b
# Move v_eth0a to the eth0_ns namespace, the virtual pair is now split
# between two network namespaces.
ip link set v_eth0a netns eth0_ns
# Configure the ends of the virtual network pairs
ip netns exec eth0_ns ifconfig v_eth0a up {{NAMESPACE_IP}} netmask {{NAMESPACE_NETMASK}}
ifconfig v_eth0b up {{ROOT_NS_IP}} netmask {{ROOT_NS_NETMASK}}
# Setup routing from namespace to root
ip netns exec eth0_ns route add default gw {{ROOT_NS_IP}} dev v_eth0a
# Setup IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s {{ROUTE_SOURCE}}/24 -o {{NETWORK_INTERFACE}} -j SNAT --to-source {{ROUTE_TARGET}}
Once the interfaces has been setup for eth0 and eth1, with their respective namespaces eth0_ns and eth1_ns, programs can be executed on the specified interface via;
ip netns exec eth0_ns fish
ip netns exec eth1_ns fish
3
Well done! I think you can also create a bridge device and bridge the default namespace and of the virtual pair with one of the physical devices. This looks equivalent though.
– Graeme
Jun 21 '15 at 10:03
I did try bridging the virtual and physical device; I wasn't able to reach the external network using that solution.
– Skeen
Jun 23 '15 at 13:52
1
I did, but only from the new namespace. I think the issue I was having was related to network manager, I didn't figure it out though or I would have updated my answer.
– Graeme
Jun 23 '15 at 14:10
I have the same issue, but I failed to use that solution. What exactly should I enter in {{ROUTE_SOURCE}} and {{ROUTE_TARGET}} in the last step?
– litov
Dec 4 '16 at 12:18
@Graeme, at least on Ubuntu I was able to get connectivity back in both the namespace as well as the global namespace by issuingdhclient <bridge>
per here.
– Chris Hunt
Mar 26 '17 at 18:46
add a comment |
I'm accepting Graeme's answer; this is simply a follow up to explain the changes I did to his suggestion to solve my issue.
Instead of binding the physical interface inside the namespace, I created a virtual network interface pair, with one end in the network namespace and one in the root. Packages are then routed via this virtual network from the namespace, to the root namespace and then to the physical interface.
- As such I'm able to run all my ordinary data transfers, and in addition start processes which can only access a specific interface.
# Create the eth0 network namespace
ip netns add eth0_ns
# Create the virtual network pair
ip link add v_eth0a type veth peer name v_eth0b
# Move v_eth0a to the eth0_ns namespace, the virtual pair is now split
# between two network namespaces.
ip link set v_eth0a netns eth0_ns
# Configure the ends of the virtual network pairs
ip netns exec eth0_ns ifconfig v_eth0a up {{NAMESPACE_IP}} netmask {{NAMESPACE_NETMASK}}
ifconfig v_eth0b up {{ROOT_NS_IP}} netmask {{ROOT_NS_NETMASK}}
# Setup routing from namespace to root
ip netns exec eth0_ns route add default gw {{ROOT_NS_IP}} dev v_eth0a
# Setup IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s {{ROUTE_SOURCE}}/24 -o {{NETWORK_INTERFACE}} -j SNAT --to-source {{ROUTE_TARGET}}
Once the interfaces has been setup for eth0 and eth1, with their respective namespaces eth0_ns and eth1_ns, programs can be executed on the specified interface via;
ip netns exec eth0_ns fish
ip netns exec eth1_ns fish
I'm accepting Graeme's answer; this is simply a follow up to explain the changes I did to his suggestion to solve my issue.
Instead of binding the physical interface inside the namespace, I created a virtual network interface pair, with one end in the network namespace and one in the root. Packages are then routed via this virtual network from the namespace, to the root namespace and then to the physical interface.
- As such I'm able to run all my ordinary data transfers, and in addition start processes which can only access a specific interface.
# Create the eth0 network namespace
ip netns add eth0_ns
# Create the virtual network pair
ip link add v_eth0a type veth peer name v_eth0b
# Move v_eth0a to the eth0_ns namespace, the virtual pair is now split
# between two network namespaces.
ip link set v_eth0a netns eth0_ns
# Configure the ends of the virtual network pairs
ip netns exec eth0_ns ifconfig v_eth0a up {{NAMESPACE_IP}} netmask {{NAMESPACE_NETMASK}}
ifconfig v_eth0b up {{ROOT_NS_IP}} netmask {{ROOT_NS_NETMASK}}
# Setup routing from namespace to root
ip netns exec eth0_ns route add default gw {{ROOT_NS_IP}} dev v_eth0a
# Setup IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s {{ROUTE_SOURCE}}/24 -o {{NETWORK_INTERFACE}} -j SNAT --to-source {{ROUTE_TARGET}}
Once the interfaces has been setup for eth0 and eth1, with their respective namespaces eth0_ns and eth1_ns, programs can be executed on the specified interface via;
ip netns exec eth0_ns fish
ip netns exec eth1_ns fish
edited 15 mins ago
Thomas
3,73661225
3,73661225
answered Jun 21 '15 at 9:34
Skeen
3711310
3711310
3
Well done! I think you can also create a bridge device and bridge the default namespace and of the virtual pair with one of the physical devices. This looks equivalent though.
– Graeme
Jun 21 '15 at 10:03
I did try bridging the virtual and physical device; I wasn't able to reach the external network using that solution.
– Skeen
Jun 23 '15 at 13:52
1
I did, but only from the new namespace. I think the issue I was having was related to network manager, I didn't figure it out though or I would have updated my answer.
– Graeme
Jun 23 '15 at 14:10
I have the same issue, but I failed to use that solution. What exactly should I enter in {{ROUTE_SOURCE}} and {{ROUTE_TARGET}} in the last step?
– litov
Dec 4 '16 at 12:18
@Graeme, at least on Ubuntu I was able to get connectivity back in both the namespace as well as the global namespace by issuingdhclient <bridge>
per here.
– Chris Hunt
Mar 26 '17 at 18:46
add a comment |
3
Well done! I think you can also create a bridge device and bridge the default namespace and of the virtual pair with one of the physical devices. This looks equivalent though.
– Graeme
Jun 21 '15 at 10:03
I did try bridging the virtual and physical device; I wasn't able to reach the external network using that solution.
– Skeen
Jun 23 '15 at 13:52
1
I did, but only from the new namespace. I think the issue I was having was related to network manager, I didn't figure it out though or I would have updated my answer.
– Graeme
Jun 23 '15 at 14:10
I have the same issue, but I failed to use that solution. What exactly should I enter in {{ROUTE_SOURCE}} and {{ROUTE_TARGET}} in the last step?
– litov
Dec 4 '16 at 12:18
@Graeme, at least on Ubuntu I was able to get connectivity back in both the namespace as well as the global namespace by issuingdhclient <bridge>
per here.
– Chris Hunt
Mar 26 '17 at 18:46
3
3
Well done! I think you can also create a bridge device and bridge the default namespace and of the virtual pair with one of the physical devices. This looks equivalent though.
– Graeme
Jun 21 '15 at 10:03
Well done! I think you can also create a bridge device and bridge the default namespace and of the virtual pair with one of the physical devices. This looks equivalent though.
– Graeme
Jun 21 '15 at 10:03
I did try bridging the virtual and physical device; I wasn't able to reach the external network using that solution.
– Skeen
Jun 23 '15 at 13:52
I did try bridging the virtual and physical device; I wasn't able to reach the external network using that solution.
– Skeen
Jun 23 '15 at 13:52
1
1
I did, but only from the new namespace. I think the issue I was having was related to network manager, I didn't figure it out though or I would have updated my answer.
– Graeme
Jun 23 '15 at 14:10
I did, but only from the new namespace. I think the issue I was having was related to network manager, I didn't figure it out though or I would have updated my answer.
– Graeme
Jun 23 '15 at 14:10
I have the same issue, but I failed to use that solution. What exactly should I enter in {{ROUTE_SOURCE}} and {{ROUTE_TARGET}} in the last step?
– litov
Dec 4 '16 at 12:18
I have the same issue, but I failed to use that solution. What exactly should I enter in {{ROUTE_SOURCE}} and {{ROUTE_TARGET}} in the last step?
– litov
Dec 4 '16 at 12:18
@Graeme, at least on Ubuntu I was able to get connectivity back in both the namespace as well as the global namespace by issuing
dhclient <bridge>
per here.– Chris Hunt
Mar 26 '17 at 18:46
@Graeme, at least on Ubuntu I was able to get connectivity back in both the namespace as well as the global namespace by issuing
dhclient <bridge>
per here.– Chris Hunt
Mar 26 '17 at 18:46
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f210982%2fbind-unix-program-to-specific-network-interface%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Are you implying that your machine is connected to two different networks, both 192.168.1.0? What does your routing table look like? If you want to restrict the interfaces visible from a process, the lightest solution would be cgroups, a heavier one containers.
– lgeorget
Jun 20 '15 at 12:41
Yes, two different networks, both on the same IP range. I'm not certain I wan't to restrict the visible interfaces, just dictate which one to use as default? :)
– Skeen
Jun 20 '15 at 15:05
2
What you ask is difficult for one good reason: having two networks interconnected using the same IP domain is like having an elevator in a building with two floors with the same number. The IP range is what identifies the domain not the output interface. Nevertheless there must be a way to work around your flawed network design with iptables.
– lgeorget
Jun 20 '15 at 16:50
I'm connecting my system to two different in-place infrastructures, as such the infrastructures were never designed to interact, and hence the network design is flawed in that regards.
– Skeen
Jun 21 '15 at 1:41
1
My argument towards NATs was that entire address spaces are usually hidden behind the NAT, and as I'm connecting two NAT'ted infrastructures the collision occurs. - I'm not in any position to modify the infrastructure. - I tried using network namespaces with virtual network interfaces pairs (one in the namespace, one in the root namespace) bridging the root namespace one to physical interface, and running programs within the network namespace. - This seems to be working, but I'm not getting access beyond the root namespace (i.e. no access outside the machine itself).
– Skeen
Jun 21 '15 at 9:13