Why Should You Use Network Namespaces Instead of Virtual Machines?
Have you ever found yourself wanting to run two services that both need port 80 on a single server? Usually, you would think of Docker or creating a heavy Virtual Machine (VM) consuming at least 512MB of RAM just to run a small script. Network Namespaces (netns) are a featherweight alternative, with near-zero resource consumption.
This technology allows you to divide the Linux operating system into multiple separate network spaces. Each space has its own routing table, interface list, and firewall rules (iptables). They operate completely independently, as if you had multiple physical computers inside a single chassis.
In fact, Docker itself relies on netns to isolate networking for containers. Understanding how to configure it manually will help you troubleshoot complex network issues without depending on automated tools.
Three Core Components You Need to Know
Don’t rush to type commands before understanding the diagram. Imagine this virtual network system consists of:
- Network Namespace: An absolute isolation “cage”. Everything inside cannot see external network resources unless you allow it.
- Veth Pair (Virtual Ethernet): A virtual network cable with two ends. If you plug one end into Namespace A and the other into the host machine, data will flow between the two environments.
- Bridge: Acts as a virtual Switch. It helps you connect 3, 5, or dozens of Namespaces together more easily.
Hands-on: Building a Network Environment from Scratch
We will create a Namespace, connect it to the host machine, and grant it Internet access. This is a standard scenario for safely testing web applications or proxies.
Step 1: Initializing the Namespace
I will create a namespace named lab_network. Every management command starts with the ip netns prefix.
# Create a new namespace
sudo ip netns add lab_network
# Check the list
ip netns listAt this point, lab_network is like a brand-new computer out of the box. It has no network card and no IP configuration yet.
Step 2: Connecting via Veth Pair
We need a virtual cable to connect the two worlds.
# Create veth pair: v-host end and v-ns end
sudo ip link add v-host type veth peer name v-ns
# Move the v-ns end into the lab_network namespace
sudo ip link set v-ns netns lab_networkAfter this command, the v-ns end will disappear from the host and appear inside the namespace.
Step 3: Configuring IP and Activating the Connection
By default, new interfaces are in the DOWN state. You need to assign IPs and bring them up.
# Configure host side
sudo ip addr add 10.1.1.1/24 dev v-host
sudo ip link set v-host up
# Configure inside the Namespace
sudo ip netns exec lab_network ip addr add 10.1.1.2/24 dev v-ns
sudo ip netns exec lab_network ip link set v-ns up
# Enable loopback interface (crucial for internal application communication)
sudo ip netns exec lab_network ip link set lo upTry running ping 10.1.1.2 from the host. If you receive a response with latency usually under 0.05ms, you have succeeded.
Step 4: Granting Internet Access (NAT)
Your Namespace can now see the host but cannot access the Internet yet. You need to turn the host into an intermediary router.
# Enable packet forwarding (IP Forwarding)
sudo sysctl -w net.ipv4.ip_forward=1
# Configure NAT via iptables (replace eth0 with your actual network card)
sudo iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
# Add default gateway for the Namespace
sudo ip netns exec lab_network ip route add default via 10.1.1.1Verify with the command: sudo ip netns exec lab_network ping 8.8.8.8.
Practical Tips to Avoid Headaches
After many system debugging sessions, I’ve gathered three critical lessons:
- DNS Error: If you can ping the IP 8.8.8.8 but cannot
curl google.com, it’s because the Namespace lacks DNS settings. Create the file/etc/netns/lab_network/resolv.confand addnameserver 8.8.8.8to it. - Automatic Cleanup: When you delete a Namespace (
sudo ip netns del), Linux automatically reclaims the associated veth interfaces. You don’t need to worry about system clutter. - Packet Monitoring: If the network isn’t communicating, use tcpdump -i v-host on the host. You’ll immediately see where packets are being blocked: whether by the firewall or due to incorrect routing.
Conclusion
Using Network Namespaces is like playing with Lego using virtual cables and switches. It’s not just a tool for application isolation, but also the best way to learn networking visually. In my office, whenever I need to test a new firewall rule, I always build a netns model first to ensure I don’t drop the entire company’s network. Start with basic commands, and you’ll find Linux administration much more exciting.
