How can I ping to namespace IP from outside?

by user451883   Last Updated January 12, 2018 21:00 PM

please help me. I added a separate network namespace, the name is "ns1", interface_name: "vpeer1"(10.200.1.2), and also added a veth, the name of veth is "veth1"(10.200.1.1). I am abling to ping to google, but I am not able to ping from outside to network namespace ip (10.200.1.2). How can I ping from outside to network namespace IP? thanks in advance.

[email protected]:~# ip netns exec ns1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever 3: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9a:3e:34:b0:0a:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.200.1.2/24 scope global vpeer1
       valid_lft forever preferred_lft forever
    inet6 fe80::983e:34ff:feb0:ab5/64 scope link
       valid_lft forever preferred_lft forever

I also made a bridge with my local interface:

[email protected]:~# ifconfig
enp0s3    Link encap:Ethernet  HWaddr 08:00:27:b7:bb:9f
          inet addr:192.168.50.14  Bcast:192.168.255.255  Mask:255.255.0.0
          inet6 addr: fe80::a00:27ff:feb7:bb9f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7298 errors:0 dropped:0 overruns:0 frame:0
          TX packets:565 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:741038 (741.0 KB)  TX bytes:74949 (74.9 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:167 errors:0 dropped:0 overruns:0 frame:0
          TX packets:167 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:12189 (12.1 KB)  TX bytes:12189 (12.1 KB)

veth1     Link encap:Ethernet  HWaddr fa:8c:20:08:fe:cf
          inet addr:10.200.1.1  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::f88c:20ff:fe08:fecf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2752 (2.7 KB)  TX bytes:2978 (2.9 KB)

[email protected]:~# ip netns exec ns1 ping google.com
PING google.com (172.217.18.14) 56(84) bytes of data.
64 bytes from fra02s19-in-f14.1e100.net (172.217.18.14): icmp_seq=1 ttl=55 time=12.2 ms
64 bytes from fra02s19-in-f14.1e100.net (172.217.18.14): icmp_seq=2 ttl=55 time=12.6 ms
64 bytes from fra02s19-in-f14.1e100.net (172.217.18.14): icmp_seq=3 ttl=55 time=12.5 ms
64 bytes from fra02s19-in-f14.1e100.net (172.217.18.14): icmp_seq=4 ttl=55 time=12.5 ms
64 bytes from fra02s19-in-f14.1e100.net (172.217.18.14): icmp_seq=5 ttl=55 time=12.7 ms
^C
--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 12.208/12.546/12.761/0.201 ms 

My bash script:

#!/usr/bin/env bash
set -x
NS="ns1"
VETH="veth1"
VPEER="vpeer1"
VETH_ADDR="10.200.1.1"
VPEER_ADDR="10.200.1.2"

if [[ $EUID -ne 0 ]]; then
    echo "You must be root to run this script"
    exit 1
fi
# Remove namespace if it exists.
ip netns del $NS &>/dev/null
# Create namespace
ip netns add $NS
# Create veth link.
ip link add ${VETH} type veth peer name ${VPEER}
# Add peer-1 to NS.
ip link set ${VPEER} netns $NS
# Setup IP address of ${VETH}.
ip addr add ${VETH_ADDR}/24 dev ${VETH}
ip link set ${VETH} up
# Setup IP ${VPEER}.
ip netns exec $NS ip addr add ${VPEER_ADDR}/24 dev ${VPEER}
ip netns exec $NS ip link set ${VPEER} up
ip netns exec $NS ip link set lo up
ip netns exec $NS ip route add default via ${VETH_ADDR}
# Enable IP-forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush forward rules.
iptables -P FORWARD DROP
iptables -F FORWARD
# Flush nat rules.
iptables -t nat -F
# Enable masquerading of 10.200.1.0.
iptables -t nat -A POSTROUTING -s ${VPEER_ADDR}/24 -o enp0s3 -j MASQUERADE
iptables -t nat -A POSTROUTING -s ${VETH_ADDR}/24 -o enp0s3 -j MASQUERADE
iptables -A FORWARD -i enp0s3 -o ${VETH} -j ACCEPT
iptables -A FORWARD -o enp0s3 -i ${VETH} -j ACCEPT


Related Questions


Restore namespace for adapters lost to LXC

Updated April 10, 2018 00:00 AM

Forward port to virtual IP in namespace

Updated August 30, 2015 18:00 PM


Run nscd in multiple network namespaces

Updated October 20, 2017 07:00 AM