8 min read

Understanding Network Interfaces in Linux

Onboard & PCI slot

         Onboard: When the interface is integrated directly into motherboard

         PCI: Its an external card integrated into motherboard

The ethernet names are changed, During physical days, we used eth0, eth1 as a name for ethernet card and the link name

But, due to virtualization, now even the links names are changed based on types of interface & Physical topology

Based on Types of Interfaces:

Ex: Ethernet interface begins with en

WLAN interface begins with wl

WWAN interface begins with ww

Based on Physical Topology:

If there is “oN” – Its an (o)onboard card & (N): Number of Device

         : ex: eno1 – Its an onboarded Ethernet and its on Device 1, means on 1^st slot

If there is “sN” –  s: It’s a PCI pluggable device.

         : ex: ens4 : PCI slotted Ethernet card and its on 4^th sloth or 4^th device.

To list the interfaces attached to a server: ip link

To check if there is any IP attached to these interface : ip a show  [ ip address show]

To see the info about a specific interface :ip link show ens4

To know the traffic pass through that interface: (Check the stats -s) : ip -s link show ens4 [ Very important command for real life troubleshooting]

: it has these metrices like

TX: no of packet transmitted out

RX: no of packet Received

Error/drop: these shows how many packets are dropped etc

To check if the host can communicate with other host on different network

• For that we need to check the host route table : route -n

o   This gives the info, about the gateway through which the traffic would pass through

• If there is no route, we have to add the route

o   ip route add destination_network via router_gateway

• Ex: Host IP: 192.168.1.4 wants to communicate with host 192.168.5.4

o   ip route add 192.168.5.0/24 via 192.168.1.0

o   ip route add default via 192.168.1.0 # Default is same as 0.0.0.0(Internet)

Host wants to connect to another host, but is unable to remember the IP, so it’s good to remember using some name and for that DNS server is needed.

DNS records are stored in /etc/resolv.conf file on each host

Now, the host is connected to internet and lot of services are running in the host, like nginx, ftp etc

• How to check the services and their ports which are opened in the host: netstat -tulnp

–   But, netstat command became old and now ss command is used

–   ss : show socket  [ socket statistics]

–   check all socket info for all traffic for TCP : ss -ta

So, far we have seen only the LIST of Network, but to do any modification, we would need a service like NetworkManager or systemd-networkd.service

Check if the service is loaded : systemctl list-units --type=service | grep -i "network"

To manage the networks like create, edit, list new connections, we need a tool which belongs to NetworkManager service

nmcli 

The IP configurations are not directly done on the interfaces. To understand how that works, we need to understand a very important concept about Connection & Device

Device Vs Connection

Device: Device is the physical interface like en01, but we don’t assign IPs to the device these days directly

Connection: It’s a software component, where we assign the IP, Subet, DNS etc

And then we attach the connection to LAN card, so its decoupled now,

Connection can be assigned to any LAN, one at a time.

So, we can have many connections created with different configurations and attach them to LAN when needed.

How to see the list of connections: nmcli con show [con = connection]

How to check the info about a particular connection : nmcli con show connection_name

–   ipv4.method – This shows if its static or dynamic IP assigned

Lets uncover some critical commands and concepts related to connection and how that is attached to an interface

How to create a new connection: 

nmcli con add con-name my_connection ifname eth0 type ethernet

How to modify the existing connection: 

nmcli connection modify my_connection ipv4.method manual ipv4.address 192.168.1.19/32 ipv4.gateway 192.169.1.1 ipv4.dns 192.168.1.1

How to connect the connection with the ethernet device: nmcli connection up my_connection

To check the status of all network interface : nmcli dev status

Docker Networking & Namespace Isolation

In the below section, I am trying to show how a container runtime engine like Docker isolates the network using network namespace in a Linux Kernel based Host:

We have got some fair understanding on the Networking on Linux host, lets understand how the networking works for the isolated namespace called containers

As we know, when we work with Linux, most of the process run on the global namespace, but if some process needs isolation, we can use namespace for that,

For an example:

Filesystem: chroot
Network : ip netns
Process : unshare PID

List of all namespace : lsns -t pid

So, when we create a container, its in its own namespace and it does not have any communication in or out. To establish connection, we have to use the concept that we have seen above, like creating interfaces, making them up and the add an IP and route, but for that we would need to create the network namespace using netns.

Now, whatever we would see below are the manual way of isolating the network in its own namespace and then attaching the interface and enabling connection, but, please note, docker or other container runtime engine is making it easier by providing the simple commands.

Docker network works on CNM (container Network model), when we install docker in Host, it automatically creates the default network (docker0) and it uses bridge driver.

To check that: nmcli con show

To check more about the connection: nmcli con show docker0

To check its link and ip : ip link show & ip a show

How to find more info about docker : docker info

How to check more about the docker bridge network : brctl show

We can see that, It does not have any interface attached.

But, the moment we create a container, it creates a veth interface connecting the container to the docker0 network.

But, from the inside of the container, it assumes that it created two interfaces, loopback and eth0 interface.

Since the container is connected to docker0 network, so it gets the IP in this network range

Docker can create a bridge network using a bridge driver

: docker network create -d bridge my_doc_bridge
: Delete: docker network rm my_doc_bridge

But, even the Linux also can create a bridge network

: sudo ip link add Linux_bridge type bridge
: Delete: sudo ip link delete my_bridge type bridge

Linux uses namespace to isolate the container:

How to create a process namespace: sudo unshare -f --pid --mount-proc bash

• this creates a container with isolated process
•  ps -ef shows only one process from inside the container

Before we jump into network isolation, we need to understand what VLAN IS

• Network devices like laptops, printers in one LAN are connected by a switch and all can communicate among each other, because all share the same broadcast domain.
• But, as the network grows, the network traffic management and security is a concern, so we designate few ports for one set of devices and other for other set, so that the traffic from one host does not broadcast to all available hosts on the switch, instead it can retain its broadcast traffic within its designated virtual LAN.

How to create a network namespace [ ip netns]

sudo ip netns add isolated_net

How to list the isolated network: ip netns list

For more help: ip netns help

How to perform any task inside that isolated network: we need to use exec

How to see the interface info : sudo ip netns exec isolated_net ip link

The isolated network has only one device “lo” and its down and its only for loopback.

But, to make the isolated nw to communicate with outside, we need a way to connect them both with a virtual ethernet cable which obviously has two interfaces

• So, now lets create that virtual ethernet with two interfaces peered

On our host:

Create Two Virtual Interfaces: 

• create two virtual interfaces veth1 & veth2 and if we peer them, they are virtually connected.

ip link add veth1 type veth peer name veth2

• List the new interface on the host: ip link list

Add one interface to Host and other interface to the new isolated Network

ip link set veth2 netns isolated_net # Added the veth2 interface to the isolated nw

Check the isolated network and we can see the new interface is set to that now

ip netns exec isolated_net ip link

Now, we have to bring the isolated interface up

  ip netns exec isolated_net ip link set dev veth2 up

But, since the lowerlayer is down, so we have to  bring the peer interface on host also up : 

Bring up the host interface

ip link set dev veth1 up

Now the interface inside the isolated nw is also up : 

ip netns exec isolated_net ip link

Assign an IP to the Isolated Interface

ip netns exec isolated_net ip addr add 192.168.1.4/24 dev veth2

Assign IP to the host interface: 

ip addr add 192.168.1.5/24 dev veth01

Check the communication:

Able to communicate from host to virtual host: ip addr add 192.168.1.2/24 dev veth01

From isolated network to host nw: ip netns exec isolated_net ping -c 2 192.168.1.2

This is exactly what docker does when we create a container using docker run command.

It automatically does all these manual work for us and get the container connected with docker internal network docker0 through veth

Some useful handy command to manage network in Linux.

Step	Task	Command
1	Check available network interfaces	ip link
2	Create a new virtual network device (veth, bridge, etc.)	ip link add <name> type <type>
3	Bring the newly created device up	ip link set <name> up
4	Assign an IP address to an interface	ip addr add <ip_address>/<subnet> dev <interface>
5	View assigned IP addresses	ip a show
6	Attach a veth device to a network namespace	ip link set <interface> netns <namespace>
7	Create a new Network Namespace	ip netns add <net_name> && ip netns list
8	Execute commands inside the namespace (check networking)	ip netns exec <namespace> ip link
9	Set default gateway (routing)	ip route add default via <gateway>
10	Verify routes	route -n OR ip route show
11	Delete a device	ip link delete <interface>