Linux Networking: Bridges, iptables, IPVS

Linux networking is the backbone of modern containerization (like Docker) and orchestration (like Kubernetes). To understand how data moves between your computer and a container, or between two containers, you need to understand three core concepts: Bridges, iptables, and IPVS.

Think of it as a busy corporate office building:

1. Linux Bridge (The Switch/Hub): Think of this as the physical extension cords or network switches in the office. It connects different cubicles (containers) so they can talk to each other and to the outside world. Without it, the cubicles are isolated islands.
2. iptables (The Security Guard & Mailroom): Think of this as the security guard checking ID cards (Firewall) and the mailroom sorting packages (NAT). It checks every person (packet) entering or leaving. It says, “You can pass,” “You are blocked,” or “Please deliver this package to Desk 4, not the lobby.”
3. IPVS (The High-Speed Receptionist): Think of this as a super-efficient receptionist handling thousands of visitors. While the Security Guard (iptables) checks a long list of names one by one (slow for big crowds), the High-Speed Receptionist (IPVS) uses a quick directory hash system to instantly direct massive crowds to the right department.

Cheat Sheet

1. Linux Bridge: A software switch that connects virtual network interfaces (like containers) to the host network.
   • Bridge: Operates at Layer 2 (Data Link Layer). It deals with MAC addresses.
2. iptables: A rule-based firewall utility that controls packet filtering and Network Address Translation (NAT).
   • iptables: Operates mostly at Layer 3 & 4 (Network/Transport). It deals with IP addresses and Ports.
3. IPVS (IP Virtual Server): A transport-layer load balancer inside the Linux kernel, much faster than iptables for handling many services.
   • IPVS: Operates at Layer 4 (Transport). It is purely for load balancing.

Feature	Linux Bridge	iptables	IPVS
Primary Role	Connectivity (Switching)	Security (Firewall) & NAT	Performance Load Balancing
OSI Layer	Layer 2 (Data Link)	Layer 3 (Network) / Layer 4	Layer 4 (Transport)
Complexity	Low	Medium (Sequential Rules)	High (Hash Tables)
Performance	Fast (Local switching)	Slower at scale (O(n) lookup)	Very Fast at scale (O(1) lookup)
Key Use Case	Docker default networking (docker0)	Firewalls, Docker Port Mapping	Kubernetes Service Load Balancing (kube-proxy)

–

Linux Bridges

A Linux Bridge acts like a virtual Layer 2 switch.

• Function: It connects multiple network interfaces together so they can communicate.
• In Docker: The default docker0 interface is a bridge. When you run a container, Docker creates a pair of virtual ethernet pipes (veth pairs). One end plugs into the container, and the other plugs into the bridge on the host. This allows containers to talk to each other and the host.

Containers are basically isolated processes. They need a way to reach the outside world.

iptables

iptables is the traditional utility for configuring the Linux kernel firewall (netfilter).

• Packet Filtering: It decides whether to accept, drop, or forward network packets.
• NAT (Network Address Translation): This is critical for containers. When a container talks to the internet, iptables uses Masquerading (NAT) to make the traffic look like it is coming from the host’s IP address.
• Port Forwarding: When you map a port (e.g., -p 8080:80), Docker writes iptables rules to forward traffic hitting port 8080 on the host into the specific container IP on port 80.

IPVS: IP Virtual Server

IPVS is a high-performance Layer 4 load balancer built into the Linux kernel.

• Performance: While iptables works well for firewalls, it becomes slow when handling thousands of rules (like in large Kubernetes clusters). IPVS is designed specifically for load balancing and uses hash tables for faster lookups.
• Use Case: It is often used in Kubernetes (kube-proxy) to direct traffic between services efficiently, replacing iptables mode in high-scale environments.

---

Containers are basically isolated processes. They need a way to reach the outside world.

• Virtual Ethernet Pairs (veth): When a container starts, Linux creates a “pipe” with two ends. One end sits inside the container (seen as eth0), and the other end sits on the host machine.
• The Bridge: The host end of that pipe is plugged into a Linux Bridge (like docker0). This bridge collects all the cables from different containers and allows them to talk.
• Packet Flow: When a container pings Google (8.8.8.8), the packet goes:
  1. Container eth0 -> Host veth -> Bridge docker0.
  2. iptables sees this packet and performs NAT (Masquerading). It stamps the host’s IP on the packet so the internet knows where to send the reply.
  3. Packet leaves the physical interface (eth0 or wlan0).

• Bridge Utils (official)
• Netfilter/iptables Project

–

DevSecOps Architect

At an architectural level, we move beyond simple connectivity to performance tuning and scale.

The Scalability Problem with iptables:

• Sequential Processing: iptables (specifically the netfilter framework) processes rules in a chain, one by one (O(n) complexity).
• The Bottleneck: In a Kubernetes cluster with 5,000 services, kube-proxy might generate 50,000 iptables rules. Every single packet must be checked against this long list. This causes high CPU usage and latency.

IPVS as the Solution:

• Hash Tables: IPVS uses hash tables (O(1) complexity). Whether you have 10 rules or 10,000 rules, the lookup time is nearly identical.
• Load Balancing Algorithms: IPVS supports advanced algorithms natively:
  • rr: Round Robin
  • lc: Least Connection
  • dh: Destination Hashing
  • sh: Source Hashing
• Direct Routing (DR): IPVS allows packets to be forwarded directly to backend servers without passing back through the load balancer, massively increasing throughput.

Interaction with Namespaces:

• Architects must verify that net.ipv4.ip_forward is enabled in the kernel (sysctl). Without this, the kernel drops packets attempting to cross bridges.

• IPVS Administration (ipvsadm)
• Kubernetes IPVS Proxy Mode

Key Characteristics

• Bridge: Promiscuous mode operation (listening to all traffic on the link).
• iptables chains: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING.
• IPVS Schedulers: The algorithms used to decide which backend server receives the packet.

Use Cases

• Linux Bridge: Default networking for Docker, LXC, and KVM virtualization.
• iptables: Securing a server, setting up a VPN gateway, basic Docker port forwarding.
• IPVS: Large-scale Kubernetes clusters, high-traffic load balancers (L4).

Benefits

• Standardization: Bridges are standard in every Linux distro.
• Granularity: iptables offers extremely fine-grained control over every single packet bit.
• Efficiency: IPVS provides datacenter-grade load balancing on standard hardware.

Limitations

• iptables: Performance degrades linearly with the number of rules. Updating thousands of rules is not atomic (can cause brief glitches).
• Bridges: Can introduce latency if daisy-chained (bridging a bridge).
• IPVS: Harder to debug than iptables because the rules are not as plainly visible in standard logs.

Common Issues, Problems, and Solutions

• Docker containers cannot access the internet.
  • Solution: Check if ip_forward is enabled (sysctl -w net.ipv4.ip_forward=1). Check if iptables Masquerading is active.
• Kubernetes services are slow/timing out.
  • Solution: Check if conntrack table is full. Consider switching kube-proxy from iptables mode to IPVS mode.
• Ping works, but TCP fails.
  • Solution: Check MTU (Maximum Transmission Unit) sizes on the bridge. If the container MTU is larger than the host interface MTU, packets get dropped.

• Docker Networking Overview
• Kubernetes Networking
• Linux Kernel Networking (Foundation)

Quiz Linux Networking

---