模拟docker的网络,使network namespace中的网卡可以访问外网
- 创建namespace
# ip netns add netns1
# ip netns show
netns1- 创建关联以太网卡
# ip link add veth0 type veth peer name veth1- 把veth1移动到netns1
# ip link set veth1 netns netns1
# ip netns exec netns1 ip link list
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
11: veth1@if12: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether a2:e9:fa:0d:98:9f brd ff:ff:ff:ff:ff:ff link-netnsid 0- 为veth1分配ip,并设置默认路由
# ip netns exec netns1 ip addr add 10.1.1.2/24 dev veth1
# ip netns exec netns1 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
11: veth1@if12: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether a2:e9:fa:0d:98:9f brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.1.2/24 scope global veth1
valid_lft forever preferred_lft forever- 创建网桥分配ip(10.1.1.1/24),并把veth0加入网桥
# brctl addbr br0
# brctl addif br0 veth0
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.fedc340f472a no veth0
# ip addr add 10.1.1.1/24 dev br0
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:9e:4e:19 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global enp0s3
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe9e:4e19/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:1f:22:b7 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.2/24 brd 192.168.56.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe1f:22b7/64 scope link
valid_lft forever preferred_lft forever
12: veth0@if11: <BROADCAST,MULTICAST> mtu 1500 qdisc noop master br0 state DOWN group default qlen 1000
link/ether fe:dc:34:0f:47:2a brd ff:ff:ff:ff:ff:ff link-netnsid 0
13: br0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether fe:dc:34:0f:47:2a brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 scope global br0
valid_lft forever preferred_lft forever
- 启动网卡、网桥
# ip link set veth0 up
# ip link set br0 up
# ip netns exec netns1 ip link set veth1 up
- 测试10.1.1.0/24网络连通性
# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.021 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.027 ms
64 bytes from 10.1.1.2: icmp_seq=3 ttl=64 time=0.022 ms
# ip netns exec netns1 ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=0.043 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=64 time=0.023 ms
64 bytes from 10.1.1.1: icmp_seq=3 ttl=64 time=0.028 ms
# 此时访问外部网络还不通
# ip netns exec netns1 ping 114.114.114.114
connect: Network is unreachable
- 在netns1内添加路由,使其能够访问外部网络
# 添加路由
# ip netns exec netns1 route add default gw 10.1.1.1
# 对10.1.1.0/24地址段做nat,使发出去的包能够回来
# iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
# 启用路由功能
# sysctl -w net.ipv4.ip_forward=1
# 测试
# ip netns exec netns1 ping 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=69 time=32.4 ms
64 bytes from 114.114.114.114: icmp_seq=2 ttl=70 time=32.4 ms
64 bytes from 114.114.114.114: icmp_seq=3 ttl=65 time=32.2 ms