1

So i created a network namespace named client, and another namespace called server. I also create virtual ethernets to connect them.

ip netns add client
ip netns add server

ip link add v-client type veth peer name v-server

Then i connect them

ip link set v-client netns client
ip link set v-server netns server

I assign IPs to them and set them UP:

ip netns exec client ip addr add 192.0.2.0/24 dev v-client
ip netns exec server ip addr add 192.0.2.128/24 dev v-server
ip netns exec client ip link set v-client up
ip netns exec server ip link set v-server up

So far so good. What i want to do is i want to put a firewall between these two. For instance if client tries to ping the server, the firewall is not going to allow it. I WANT THE FIREWALL AS A SEPERATE NAMESPACE. I want a third network namespace named firewall, which controls the traffic between server and client. How can i achieve this?

talatt
  • 11
  • 2
  • AFAIK You simply run the necessary iptables commands to set up and manage the firewall in your namespace, `ip netns exec client iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT` etc. – HBruijn Aug 18 '22 at 09:25
  • You just create a 3rd namespace which is inserted between the two others. veth connections have to be moved accordingly. Depending on setup the firewall can run as a router or as a bridge (making it more invisible). – A.B May 10 '23 at 09:04

1 Answers1

0

You need to create Firewall Rules for each namespace separately like you created network interfaces for them. Each namespace has its own firewall rules, for example:

ip netns exec server iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip netns exec server iptables -P INPUT DROP
ip netns exec server iptables -A INPUT -p icmp -j DROP

to make this change permanent you can use systemd service or some other startup script with:

/sbin/ip netns exec server iptables-restore /etc/iptables.server.rules

but before that you need to save your firewall rules:

ip netns exec server iptables-save /etc/iptables.server.rules
bdzkv
  • 1
  • Thanks for the answer. I forgot to mention a crucial detail in the post but the firewall must be a seperate namespace, not the rules for server. client will connect to the firewall first in order to ping server, and if firewall allows it(lets say it wont for our example) it will ping the server. – talatt Aug 18 '22 at 15:03
  • Maybe try putting virtual interfaces into that third namespace and write rules between them if that's what you want. – bdzkv Aug 18 '22 at 16:08