Alpine linux veth network/bridge has no internet

namespaces ip iptables network-namespace

Solution 1:

I applied your setup verbatim and it's working.

You must have made a typo somewhere or didn't follow exactly what you wrote in your question.

Two remarks:

bridge link show br1

is an invalid syntax. man bridge was amended in recent versions probably because it was a common mistake:

bridge link show - list ports configuration for all bridges. This command displays port configuration and flags for all bridges.

To display port configuration and flags for a specific bridge, use the "ip link show master <bridge_device>" command.

So you should use instead:

ip link show master br1

or you'd get extra interfaces on other bridges. Of course it doesn't matter.

What matters is that:

  ip -all netns exec ip route add default via 192.168.1.10

should have set default routes in the network namespaces (and did for me), but you write later:

when i run

ip netns exec namespace1 ip route

I get the results:

192.168.1.0/24 dev veth1 proto kernel scope link src 192.168.1.11

Here the default route is missing. Doing the same on my system, I get, as you should have but didn't:

# ip netns exec namespace1 ip route
default via 192.168.1.10 dev veth1 
192.168.1.0/24 dev veth1 proto kernel scope link src 192.168.1.11

So figure out what is missing. Retest your commands exactly as given, manually, without changing any order, and verify you get the default route. For example this route would be lost if the interface is brought down then up again (but it's not done in OP's script). If needed don't use -all but repeat twice the command once for namespace1 once for namespace2.

UPDATE: from further discussion in comments it appears also that OP had iptables' with a FORWARD policy set as DROP.

If one intends to enable inter-namespace traffic (should br_netfilter be activated, see at the end) and any outgoing traffic from the namespaces, one could simply use for example:

iptables -I FORWARD -i br1 -j ACCEPT

Likewise for the namespaces to reach the host if needed:

iptables -I INPUT -i br1 -j ACCEPT

Security about this should really be pondered, and the rules integrated in the existing firewall solution.

Things can become more complex if other tools like Docker are running because it might enable br_netfilter, as can be seen in my answer to this Q/A.

Related

Setup a fixed IP like Shopify?
How to get DRBD to automatically start after reboot, mount volume, start service, and configure primary/secondary
Is there any solution out there that is as easy to use as power query but handles 2gb of data?
Why does "su - X" require password, but "sudo -u X bash" doesn't?
DC Demote left behind NTDS for the DC in Sites and Services. How can I fix this?
Runas local Administrator, while authenticating as domain user
got error for connecting to database failure, caused by insufficient disk size?
Courier not listening on IPv4 ports
403 when using Terraform to attach Lambda Function to Target Group w/ ALB
Group Managed Service Accounts (GMSA) and Read-Only Domain Controllers (RODC)
Where is imagemagick located on an EC2 server
Using a http proxy without manually configuring the browser to use proxy server