current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems. It's 100% free, no registration required.
up vote 4 down vote favorite

Question: How do I launch a program while ensuring that it's network access is bound via a specific network interface?

Case: I want to access two distinct machines with the same IP (192.168.1.1), but accessible via two different network interfaces (eth1 and eth2).

Example:

net-bind -D eth1 -exec {Program 192.168.1.1}
net-bind -D eth2 -exec {Program 192.168.1.1}

The above is an approximation of what I'd like, inspired by the hardware binding done via primusrun and optirun.

Challenge: As suggested in a related thread, the interfaces used are not chosen by the program, but rather by the kernel (Hence the pre-binding syntax in the above example).

Some related solutions I've found, which are unsatisfactory are based on binding network interfaces via user-specific network blacklisting; i.e. running the process as a user which can only access a single specific network interface.

share|improve this question
    
Are you implying that your machine is connected to two different networks, both 192.168.1.0? What does your routing table look like? If you want to restrict the interfaces visible from a process, the lightest solution would be cgroups, a heavier one containers. –  lgeorget Jun 20 at 12:41
    
Yes, two different networks, both on the same IP range. I'm not certain I wan't to restrict the visible interfaces, just dictate which one to use as default? :) –  Skeen Jun 20 at 15:05
    
What you ask is difficult for one good reason: having two networks interconnected using the same IP domain is like having an elevator in a building with two floors with the same number. The IP range is what identifies the domain not the output interface. Nevertheless there must be a way to work around your flawed network design with iptables. –  lgeorget Jun 20 at 16:50
    
I'm connecting my system to two different in-place infrastructures, as such the infrastructures were never designed to interact, and hence the network design is flawed in that regards. –  Skeen Jun 21 at 1:41
    
I understand that IP is supposed to be a unique addressing scheme, however using NATs and such breaks that idea. - And hence the output network interfaces matters. - Do you have any idea how to apply iptables on this? –  Skeen Jun 21 at 1:44

2 Answers 2

up vote 4 down vote accepted

For Linux, this has already been answered on Superuser - How to use different network interfaces for different processes?.

The most popular answer uses an LD_PRELOAD trick to change the network binding for a program, but modern kernels support a much more flexible feature called 'network namespaces' which is exposed through the ip program. This answer shows how to use this. From my own experiments I have done the following (as root):

# Add a new namespace called test_ns
ip netns add test_ns

# Set test to use eth0, after this point eth0 is not usable by programs
# outside the namespace
ip link set eth0 netns test_ns

# Bring up eth0 inside test_ns
ip netns exec test_ns ip link set eth0 up

# Use dhcp to get an ipv4 address for eth0
ip netns exec test_ns dhclient eth0

# Ping google from inside the namespace
ip netns exec test_ns ping www.google.co.uk

It is also possible to manage network namespaces to some extent with the unshare and nsenter commands. This allows you to also create separate spaces for PIDs, users and mount points. For some more information see:

share|improve this answer
    
"after this point eth0 is not usable by programs outside the namespace" - So I'm pulling down the connection for all other problems in doing this? –  Skeen Jun 20 at 15:11
    
@Skeen, yes, so presumably you would push an interface that no other programs are using into the namespace and use your main one normally. –  Graeme Jun 20 at 15:19
    
@Graerne; Both interfaces are being used actively; I cannot afford taking down the interfaces. –  Skeen Jun 20 at 15:23
up vote 2 down vote

I'm accepting Graeme's answer; this is simply a follow up to explain the changes I did to his suggestion to solve my issue.

Instead of binding the physical interface inside the namespace, I created a virtual network interface pair, with one end in the network namespace and one in the root. Packages are then routed via this virtual network from the namespace, to the root namespace and then to the physical interface. - As such I'm able to run all my ordinary data transfers, and in addition start processes which can only access a specific interface.

# Create the eth0 network namespace
ip netns add eth0_ns

# Create the virtual network pair
ip link add v_eth0a type veth peer name v_eth0b

# Move v_eth0a to the eth0_ns namespace, the virtual pair is now split
# between two network namespaces.
ip link set v_eth0a netns eth0_ns

# Configure the ends of the virtual network pairs
ip netns exec eth0_ns ifconfig v_eth0a up {{NAMESPACE_IP}} netmask {{NAMESPACE_NETMASK}}
ifconfig v_eth0b up {{ROOT_NS_IP}} netmask {{ROOT_NS_NETMASK}}

# Setup routing from namespace to root
ip netns exec eth0_ns route add default gw {{ROOT_NS_UP}} dev v_eth0a

# Setup IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s {{ROUTE_SOURCE}}/24 -o {{NETWORK_INTERFACE}} -j SNAT --to-source {{ROUTE_TARGET}}

Once the interfaces has been setup for eth0 and eth1, with their respective namespaces eth0_ns and eth1_ns, programs can be executed on the specified interface via;

ip netns exec eth0_ns fish
ip netns exec eth1_ns fish
share|improve this answer
    
Well done! I think you can also create a bridge device and bridge the default namespace and of the virtual pair with one of the physical devices. This looks equivalent though. –  Graeme Jun 21 at 10:03
    
I did try bridging the virtual and physical device; I wasn't able to reach the external network using that solution. –  Skeen Jun 23 at 13:52
1  
I did, but only from the new namespace. I think the issue I was having was related to network manager, I didn't figure it out though or I would have updated my answer. –  Graeme Jun 23 at 14:10

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.