1

So I'm writing a program that isolates itself with namespaces, but I'm stuck on getting networking to work as I want it to. I plan to route my application over Tor, which is a Socks5 proxy that exposes a SocksPort on a network interface.

My application needs to work when it is already isolated with virtual machines and host only routing, with Tor on the host bound to say vboxnet1 (192.168.56.1:9051), eth0 inside of the VM is (192.168.56.101), then I have a network namespace. Because of this, I can't simply use a veth pair and bind Tor to the veth on the parent namespace, because Tor is not even in the virtual machine. So ultimately, I need to get a connection to the SocksPort on 192.168.56.1:9051, from a namespace, through eth0 (192.168.56.101) in the parent namespace. However, the solution I use also should work when I'm not in a virtual machine, and when Tor is in the parent namespace (as opposed to the host of the VM with the parent namespace).

This is just some background as to why veth pairs and such will not work for me, and in general what I'm trying to do, my question is more specific;

I followed the guide at the following link: http://blog.scottlowe.org/2014/03/21/a-follow-up-on-linux-network-namespaces/

on Linux 3.16

I will do it right now and show the exact commands I'm typing:

ip netns add blue

ip link add link eth0 name eth0.100 type vlan id 100

at this point "ip -d link", shows the following (with MAC edited out);

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether promiscuity 0 

352: eth0.100@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    promiscuity 0 
    vlan protocol 802.1Q id 100 <REORDER_HDR>

ip link set eth0.100 netns blue

I note that ip -d link from the blue namespace has the following output

ip netns exec blue ip -d link

1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 

352: eth0.100@if2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default 
    promiscuity 0 
    vlan protocol 802.1Q id 100 <REORDER_HDR>

Notice that it is eth0.100@if2 now rather than @eth0, I'm not sure if this is relevant.

I bring up loopback, which is actually not in the guide I mentioned but I believe is required:

ip netns exec blue ip link set dev lo up

ip netns exec blue ip addr add 192.168.56.102/24 dev eth0.100

ip netns exec blue ip link set eth0.100 up

ip netns exec blue ifconfig shows this now (slightly edited out)

eth0.100  Link encap:Ethernet   
          inet addr:192.168.56.102  Bcast:0.0.0.0  Mask:255.255.255.0
          Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:5598 (5.5 KB)

from the parent namespace ifconfig shows

eth0      Link encap:Ethernet  
          inet addr:192.168.56.101  Bcast:192.168.56.255  Mask:255.255.255.0

But then when I try to ping from the namespace, as per the guide;

ip netns exec blue ping -c 4 192.168.56.101

PING 192.168.56.101 (192.168.56.101) 56(84) bytes of data.

From 192.168.56.102 icmp_seq=1 Destination Host Unreachable

It is always unreachable, the same if I try 192.168.56.1, which is ultimately what I want to get a connection to (it is the vboxnet on the host, which can be routed to from the eth0 in the vm, but I cannot even route to the eth0 from the namespace, even with the vlan interface added to the namespace).

thanks for any help I've been trying to do this for hours and I have pretty much exhausted every resource.

chrk
  • 4,037
  • 2
  • 39
  • 47
vlanzz
  • 19
  • 3
  • can you ping .102 from .102? simple that shows if you are listening for ping response. can you ping the other direction? – tCoe Aug 09 '16 at 13:59
  • Sorry I keep hitting enter trying to new line but it doesn't work in comments. Yes I can ping .102 from .102: "ip netns exec blue ping -c 4 192.168.56.102" results in "64 bytes from 192.168.56.102: icmp_seq=1 ttl=64 time=0.015 ms". I cannot ping .102 from .101 though, "ping 192.168.56.102" results in "PING 192.168.56.102 (192.168.56.102) 56(84) bytes of data." and "From 192.168.56.101 icmp_seq=1 Destination Host Unreachable" – vlanzz Aug 09 '16 at 14:18
  • can you ping from the host address to the 102 or 101? – tCoe Aug 09 '16 at 14:37
  • what is the out put after running the "ip netns exec blue ip link set eth0.100 up" command? does it show that the eth0.100@if2 link is up? – tCoe Aug 09 '16 at 14:44
  • I can ping from the host to .101 but not .102, the namespace in the VM seems as if it is entirely isolated from the rest of the network even after having passed the vlan device to it as per the guide I followed, perhaps I'm misunderstanding how vlans work, networking is not at all my specialty, however I believe I followed the guide correctly :(. – vlanzz Aug 09 '16 at 14:47
  • There is no output from that command per-se, however it is up as demonstrated by "ip netns exec blue ip link" showing "352: eth0.100@if2: mtu 1500 qdisc noqueue state UP mode DEFAULT group default" – vlanzz Aug 09 '16 at 14:49
  • have you tried setting the broadcast address on the .102 to match the .101?seems like the broadcast address should be 192.168.56.255, instead of 0.0.0.0 – tCoe Aug 09 '16 at 17:06
  • Does Linux even support multiple interfaces in the same subnet? At least historically, that was always considered a very bad idea, and failure-prone. – dgatwood Aug 09 '16 at 21:40
  • veth + nat(iptables) definitely works. ipvlan/macvlan might work. Not sure about the compatibility of netns with bridge or tap. – user1602017 Nov 19 '16 at 05:17

0 Answers0