PhilipSchmid/nic-isolation-readme.md

## nic-isolation-readme.md

      
    Raw
  

              nic-isolation-readme.md
            
          
    Linux NIC to namespace (persisted via systemd service)

Save the file nic-isolation.service to /etc/systemd/system/nic-isolation.service.
Afterwards reload the systemd daemon and enable & start the "service":
sudo systemctl daemon-reload
sudo systemctl enable nic-isolation.service
sudo systemctl start nic-isolation.service
TODO: Improve the security level by enabling some systemd security features: https://www.redhat.com/sysadmin/mastering-systemd

  
## nic-isolation.service
[Unit]
Description=Isolate USB NIC to separate namespace
After=syslog.target network.target

[Service]
Type=oneshot
PermissionsStartOnly=true
PIDFile=/var/run/nic-isolation.pid
ExecStartPre=-/bin/bash -c "/bin/systemctl set-environment USB_NIC=$(basename -a /sys/class/net/* | grep enx.*)"
ExecStart=-/bin/ip netns add isolation
ExecStart=-/bin/ip link set ${USB_NIC} netns isolation
ExecStart=-/bin/ip netns exec isolation ip link set lo up
ExecStart=-/bin/ip netns exec isolation ip link set ${USB_NIC} up

[Install]
WantedBy=multi-user.target
	[Unit]
	Description=Isolate USB NIC to separate namespace
	After=syslog.target network.target

	[Service]
	Type=oneshot
	PermissionsStartOnly=true
	PIDFile=/var/run/nic-isolation.pid
	ExecStartPre=-/bin/bash -c "/bin/systemctl set-environment USB_NIC=$(basename -a /sys/class/net/* \| grep enx.*)"
	ExecStart=-/bin/ip netns add isolation
	ExecStart=-/bin/ip link set ${USB_NIC} netns isolation
	ExecStart=-/bin/ip netns exec isolation ip link set lo up
	ExecStart=-/bin/ip netns exec isolation ip link set ${USB_NIC} up

	[Install]
	WantedBy=multi-user.target