Master Single-Host Container Networking with Linux Namespaces, veth, and Bridges

Introduction

Containers feel magical, but understanding the underlying Linux networking primitives makes them predictable. This article walks through single‑host container networking, answering how to virtualize network resources, isolate containers, enable inter‑container communication, and connect containers to the outside world.

Key Questions

How to virtualize network resources so each container thinks it has an exclusive network?

How to let containers coexist without interfering while still communicating?

How to access the external world from inside a container?

How to expose container services to the host (port publishing)?

Prerequisites

Any Linux distribution works; examples run on a Vagrant CentOS 8 VM.

Network Namespace Isolation

Linux network namespaces provide a separate network stack with its own devices, routes, and firewall rules. Create a namespace with: sudo ip netns add netns0 Enter it using nsenter:

sudo nsenter --net=/var/run/netns/netns0 bash

Inspecting the Network Stack

Use a simple script to list devices, routes, and iptables rules:

#!/usr/bin/env bash
echo "> Network devices"
ip link
echo -e "
> Route table"
ip route
echo -e "
> Iptables rules"
iptables --list-rules

Before running, add a custom iptables chain:

sudo iptables -N ROOT_NS

Creating Virtual Ethernet (veth) Pairs

veth devices come in pairs and act as a tunnel between namespaces. Create a pair:

sudo ip link add veth0 type veth peer name ceth0

Move one end into the namespace: sudo ip link set ceth0 netns netns0 Bring up the devices and assign IPs:

sudo ip link set veth0 up
sudo ip addr add 172.18.0.11/16 dev veth0
sudo nsenter --net=/var/run/netns/netns0 bash -c "ip link set lo up && ip link set ceth0 up && ip addr add 172.18.0.10/16 dev ceth0"

Ping tests show each namespace sees its own isolated stack.

Connecting Containers with a Linux Bridge

When multiple containers share the same IP subnet, a bridge (L2 switch) solves routing conflicts. Create and activate a bridge:

sudo ip link add br0 type bridge
sudo ip link set br0 up

Attach both veth ends to the bridge:

sudo ip link set veth0 master br0
sudo ip link set veth1 master br0

Now containers can ping each other directly.

Connecting the Bridge to the Host

Assign an IP to the bridge so the host can reach the containers: sudo ip addr add 172.18.0.1/16 dev br0 Update routing tables and enable IP forwarding:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Network Address Translation (NAT)

To allow containers to reach external networks, masquerade their traffic:

sudo iptables -t nat -A POSTROUTING -s 172.18.0.0/16 ! -o br0 -j MASQUERADE

After adding a default route inside each namespace, containers can ping public IPs such as 8.8.8.8.

Port Publishing

Expose a container service to the host by accessing the container’s IP directly, or use Docker’s -p flag which creates DNAT rules. Example with a simple Python HTTP server inside a namespace:

sudo nsenter --net=/var/run/netns/netns0 bash -c "python3 -m http.server --bind 172.18.0.10 5000"

From the host, curl 172.18.0.10:5000 works, while accessing the host’s external IP requires proper DNAT configuration.

Docker Network Drivers Overview

Docker offers three main drivers:

host : container shares the host’s network namespace.

none : container gets only a loopback interface.

bridge (default): similar to the bridge setup described above.

Rootless Containers

Rootless Podman uses slirp4netns to provide user‑space networking without root privileges, but it cannot create veth pairs directly and lacks raw socket capabilities needed for ping.

Conclusion

The presented approach—network namespaces, veth pairs, a Linux bridge, routing, and NAT—is a widely used method for single‑host container networking. Alternative solutions exist via Docker plugins or other third‑party tools, but they all rely on the same Linux virtualization primitives.

References

Original article (English)

Docker network drivers

Podman container networking

slirp4netns project