# 如何使用Network Namespace創建一個Router
## 目錄
1. [網絡命名空間基礎概念](#1-網絡命名空間基礎概念)
2. [實驗環境準備](#2-實驗環境準備)
3. [創建基礎網絡拓撲](#3-創建基礎網絡拓撲)
4. [配置Router功能](#4-配置router功能)
5. [防火墻與流量控制](#5-防火墻與流量控制)
6. [高級路由策略](#6-高級路由策略)
7. [持久化配置](#7-持久化配置)
8. [故障排查](#8-故障排查)
9. [實際應用場景](#9-實際應用場景)
10. [總結](#10-總結)
---
## 1. 網絡命名空間基礎概念
### 1.1 什么是Network Namespace
Network Namespace是Linux內核提供的網絡隔離機制,允許創建完全獨立的網絡協議棧實例,包括:
- 獨立的網絡接口
- 獨立的路由表
- 獨立的iptables規則
- 獨立的網絡端口空間
### 1.2 核心命令詳解
```bash
# 創建namespace
ip netns add <name>
# 查看所有namespace
ip netns list
# 在namespace中執行命令
ip netns exec <name> <command>
# 刪除namespace
ip netns delete <name>
# 清除可能存在的沖突配置
sudo sysctl -w net.ipv4.ip_forward=0
sudo iptables -F
sudo ip link del veth0 2>/dev/null
# 啟用IP轉發(臨時)
sudo sysctl -w net.ipv4.ip_forward=1
# 創建三個namespace模擬兩個子網和路由器
ip netns add client_net
ip netns add router
ip netns add server_net
# Client網絡連接
ip link add veth0 type veth peer name veth1
ip link set veth0 netns client_net
ip link set veth1 netns router
# Server網絡連接
ip link add veth2 type veth peer name veth3
ip link set veth2 netns router
ip link set veth3 netns server_net
# Client端配置
ip netns exec client_net ip addr add 192.168.1.100/24 dev veth0
ip netns exec client_net ip link set veth0 up
ip netns exec client_net ip route add default via 192.168.1.1
# Router端配置
ip netns exec router ip addr add 192.168.1.1/24 dev veth1
ip netns exec router ip link set veth1 up
ip netns exec router ip addr add 10.0.0.1/24 dev veth3
ip netns exec router ip link set veth3 up
# Server端配置
ip netns exec server_net ip addr add 10.0.0.100/24 dev veth2
ip netns exec server_net ip link set veth2 up
ip netns exec server_net ip route add default via 10.0.0.1
# 在router namespace中啟用轉發
ip netns exec router sysctl -w net.ipv4.ip_forward=1
# 源地址轉換(SNAT)
ip netns exec router iptables -t nat -A POSTROUTING -o veth3 -j MASQUERADE
# 目的地址轉換(DNAT)示例
ip netns exec router iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.100:80
# 從client ping server
ip netns exec client_net ping 10.0.0.100 -c 4
# 跟蹤路由路徑
ip netns exec client_net traceroute 10.0.0.100
# 允許已建立的連接
ip netns exec router iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# 限制ICMP流量
ip netns exec router iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# 創建HTB隊列
ip netns exec router tc qdisc add dev veth1 root handle 1: htb
ip netns exec router tc class add dev veth1 parent 1: classid 1:1 htb rate 100mbit
# 限制特定IP的帶寬
ip netns exec router tc filter add dev veth1 protocol ip parent 1:0 prio 1 u32 match ip src 192.168.1.100 flowid 1:1
# 添加額外路由表
ip netns exec router echo "200 custom_rt" >> /etc/iproute2/rt_tables
# 策略路由配置
ip netns exec router ip rule add from 192.168.1.100 table custom_rt
ip netns exec router ip route add default via 10.0.0.2 table custom_rt
# 在router中安裝Bird
ip netns exec router apt-get install bird
# 示例BGP配置
cat <<EOF > /etc/bird.conf
router id 192.168.1.1;
protocol kernel {
learn;
persist;
}
protocol bgp {
local as 64512;
neighbor 10.0.0.2 as 64513;
}
EOF
# /etc/netplan/01-networkns.yaml
network:
version: 2
renderer: networkd
network:
config: disabled
# /etc/systemd/system/networkns.service
[Unit]
Description=Network Namespace Router
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/setup_networkns.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
# 查看接口狀態
ip netns exec router ip -s link
# 檢查路由表
ip netns exec router ip route show table all
# 監控數據包
ip netns exec router tcpdump -i veth1 -n
問題1: Ping不通目標網絡
ip netns exec router sysctl net.ipv4.ip_forwardip netns exec router iptables -L -v問題2: NAT不生效
iptables -t nat -L -v通過本文我們實現了: 1. 使用network namespace創建隔離網絡環境 2. 配置完整的路由轉發功能 3. 實現NAT和防火墻策略 4. 部署高級路由功能 5. 保證配置持久化
完整實驗代碼庫:https://github.com/example/networkns-router
擴展閱讀: - Linux Advanced Routing & Traffic Control - Network Namespaces in Container Runtime - eBPF-based Networking Solutions “`
