How to Build Isolated Single‑Host Container Networks with Linux Namespaces and veth
This tutorial explains how to create isolated, virtualized network stacks for containers on a single Linux host using network namespaces, virtual Ethernet pairs, a Linux bridge, routing, NAT, and iptables, and shows how to expose container services to the outside world.
Introduction
Containers feel magical; for those who understand the underlying Linux mechanisms they are simple isolated processes. This article explains how to solve single‑host container networking problems.
Key questions
How to virtualize network resources so each container thinks it has an exclusive network?
How to let containers coexist without interfering and still communicate?
How can a container reach the external network?
How can the outside world reach a specific container (port publishing)?
Core Linux primitives
The solution is a combination of well‑known Linux features:
Network namespaces
Virtual Ethernet devices (veth)
Linux bridge (virtual switch)
IP routing and NAT
Creating a network namespace
sudo ip netns add netns0
ip netns listEnter the namespace with nsenter --net=/var/run/netns/netns0 bash and inspect the empty network stack.
Connecting namespaces with veth
sudo ip link add veth0 type veth peer name ceth0
sudo ip link set ceth0 netns netns0
sudo ip link set veth0 up
sudo ip addr add 172.18.0.11/16 dev veth0
sudo ip netns exec netns0 ip link set lo up
sudo ip netns exec netns0 ip link set ceth0 up
sudo ip netns exec netns0 ip addr add 172.18.0.10/16 dev ceth0Ping between veth0 and ceth0 shows that the two namespaces have independent network stacks.
Scaling to multiple containers with a bridge
sudo ip link add br0 type bridge
sudo ip link set br0 up
sudo ip link set veth0 master br0
sudo ip link set veth1 master br0
sudo ip addr add 172.18.0.1/16 dev br0All containers attached to br0 can reach each other at layer 2, while the host can act as a router.
Enabling external connectivity
Enable IP forwarding and add a masquerade rule:
echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 172.18.0.0/16 ! -o br0 -j MASQUERADENow containers can ping the Internet.
Port publishing
Expose a container service on the host’s address with DNAT rules:
sudo iptables -t nat -A PREROUTING -d 10.0.2.15 -p tcp --dport 5000 -j DNAT --to-destination 172.18.0.10:5000
sudo iptables -t nat -A OUTPUT -d 10.0.2.15 -p tcp --dport 5000 -j DNAT --to-destination 172.18.0.10:5000
sudo modprobe br_netfilterAfter the rules, curl 10.0.2.15:5000 reaches the container’s HTTP server.
Docker network drivers
Docker’s --network host, none, and default bridge modes correspond to the primitives demonstrated above.
Rootless containers
Rootless tools such as Podman use slirp4netns to provide user‑space networking because creating veth pairs requires root privileges.
Conclusion
The presented approach shows one of the most common ways to isolate and interconnect containers on a single host using Linux network namespaces, veth pairs, a bridge, routing, and NAT. All container networking solutions ultimately rely on these Linux virtualization features.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Open Source Linux
Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.