Advanced Network Related Question Regarding Network Namespaces

hey I'm here, I just want to mention I didn't force my friend to ask for me or anything if anyone gets that idea ;)
he fully offered because he's getting impatient my primary workstation has been offline for so long, mainly because figuring this out could take years (which I'm fine with as I'm busy with other stuff atm).

I want to figure this out to prevent hackers from accessing my physical machine like they can through traditional TCP/IP...
if I virtualize it, they shouldn't be able to access everything so readily available, and I should have more control over what traffic comes through.
I know Windows has hypervisor which can also be configured through kvm on Linux, but I'm not looking to go that far right now,
plus it only wrapps the issue I'm trying to solve (so what if hackers disrupt a VM, just reset the VM).
I want to restrict access to begin with so hackers can't compromise the machine so easily, be it physical or virtual.

also, one of the first things I'm doing in the virtual namespace is setting up Surricata to add further restrictions through the virtual IP
(Linux doesn't seem to have a good HIPS software)
and then of course a NAT layer, cause what is a router without that, which should help protect everything connected even further :P
I just want hackers to see my virtual IP/namespace when they access my adapter's MAC

this is all for my router I'm trying to build so I can have some real security, which traditional ISP routers usually don't provide for WAN
(I can't afford to buy a new router, but from what I've seen, even another friend's ASUS doesn't do as good of a job as I want to set up)

plus with a custom router running XFCE on LXDM (no network video server), I can even have services displayed on a local monitor notifying me if something on the subnet (eg: an IPFS daemon) is no longer reachable so I can fix it faster.

and btw, my ISP router has already been infected once (thank you Discord), and it may be possible for hackers to compromise the factory reset image.

I'm disappointed real security isn't openly discussed more as network devices would probably have better security, if not ditch TCP/IP completely...
last time I discussed anything on real security, I was told to hire a professional:

here's a link if the image stops displaying here again
^ asked in January of 2019 (let me know if the image doesn't load at all, my daemon or VPN might need a reset)
I don't have much faith in StackExchange anymore because I keep seeing legit questions on good information be flagged and deleted for some reason or another...
it's almost as if nobody wants good information on the network... James Corbett on LBRY certainly seems to think so.

So you don't want an IP (Internet Protocol) network? Have you heard of other (mostly dead) protocols like what Novell Netware used long ago?

Our current networking hardware can support other protocols and you are more than welcome to make your own protocol.

https://www.google.com/search?client=opera&q=Can+I+send+a+message+to+a+MAC+address finds priors and while the answer is no, I don't think it's that cut and dry. It's only no if you want to use your (secure?) protocol outside your LAN since the Internet uses the Internet Protocol.

@rprofitt while I am working on my own protocol (as I've mentioned in other issues), I'm trying to just use regular TCP/IP more securely, simply to restrict access to the host hardware better than what's done by default with a basic setup.

that's all this question is about ;)

I know what you're talking about though, and that last bit was only my disappointment security is not taken more seriously by default.
I can already send packet data to a MAC address with python, but thanks :)

Hello Tcll.

Then do that. I will share I worked at a company that had a secure IP "like" LAN. Basically there was a shim that say between the LAN and the device or computer that added said security.

Remember I can not tell all here but for Linux and Windows it is a supported thing that you can put your shim in there to do as you please for each packet in and out. That way nothing that doesn't know how to talk to the device or computer can't talk and since all communications are encrypted then said packets even if they went out on the Internet would not be useful.

Now if you are not into building your own world like this maybe you want to look at security appliances like Barracuda and others.

To close, I worry here you are trying to secure a Personal Computer (PC) or Windows. How long have you been at this? I've been around since say the IBM 360 days. When the PC arrived it was not secure at all since you just used a floppy to boot it up and it let you do anything you wanted since you were it's owner.

Then do that.

that's the problem, idk how, I'm just asking because I know it's possible to link an adapter (virtual?) MAC address to a virtual IP
but what are the commands??

Now if you are not into building your own world like this

I want to, but now's not the time just yet ;)
that's a bit far ahead of my current knowledge :)

How long have you been at this?

eh... not too long honestly...
I actually knew very little about real security back when I got hacked on Discord in 2018
but I knew what real security was as there's numerous concepts that apply to it,
plus my ex friend was a retured dark web hacker who taught me a lot before turning on my community after a kid destroyed his configs for my server (I was teaching the kid, so the loss wasn't really that big of a deal).
one of the things that really helped me along though was that metaclass inventing private class attributes for python I wrote a while back.

oh and also, simply using Comodo AntiVirus for Windows configured for paranoid mode, compounded with my knowledge of the hacks I applied to XP also taught me a lot.
as well as a lot of the arguments I had over XP security (which I learned from removing viruses up to rootkits)
even to date I still say XP Pro x64 is the most secure version of Windows
security comes from how few backdoors an OS has, not how many have been patched
(Win10 may not be affected by the same exploits, but it still has more potential exploits than WinXP64 given it's Orwellian nature that dates back to Vista)

so yeah, that's how I know what real security is, and how much worse it's gotten (good security grants privacy, which grants freedom)

I guess you could say, while it's only taken me under 2 years to learn how to secure an OS, it's taken me much longer to learn what real security actually is, and the hundreds of services that fail to provide it (I could fill a post limit with just names alone, because just about everything is compromised).

if you want an example of good security, look at how IPFS or Monero work
(fun fact: my VFS for my software suite's blockchain file distribution system uses similar ideas to IPFS, which is why I like it so much)

sorry if I'm going off a bit far, you probably already know more than half the stuff I'm mentioning XD
I just have a bad habit of treating everybody like noobs and re-educating everyone :)
it has it's benefits though, especially with the fact the web is constantly being burned and how people forget things ;)

To me this is starting to sound like one of the "ARP"s. I tend to not duplicate the web on that so read
https://www.geeksforgeeks.org/arp-reverse-arprarp-inverse-arp-inarp-proxy-arp-and-gratuitous-arp/

eh, not exactly...
maybe if I was relying on strict MAC communication for my router over LAN (which IS an awesome idea, I'll give you that)
but it's pointless if a hacker has access to the router like the defaults allow as they can just manipulate the software running that ARP...
this is for the WAN port(s), for protecting the router from hackers, since default TCP/IP does a horrible job of such protection.

the virtual IP should be the only thing the hacker can access over WAN, to which the virtual container should restrict access to the router itself.
that is, if my theory is correct and the virtual container doesn't duplicate machine access anyways...

after re-watching a video about basic netns setup...
all I need to do is link my WAN MAC to the virtual container created with ip netns add
I assume I'd be using an ip link command to do so, somehow specifying the WAN MAC instead of a pre-configured WAN IP??
that way the WAN adapter simply forwards the virtual IP the internet can link to...

This doesn't tell me what you are looking for. You can do a lot of things with the Internet Protocol. That means you get to implement whatever you want. But on the LAN level, you don't have to use IP (example Novell Netware and others.)

Let's take a look at your premise that the hacker can access (what?) over the WAN. It's your gateway, you set the rules so how would this hacker get through? I worry you haven't thought this through or are thinking about folk that say "run TORRENTS" or other servers that have security flaws.

Maybe you are looking to eventually develop some Baracuda-like security appliance but I can't tell here.

huh? I already explained I'm working on a linux router/gateway :/

simply defining rules in iptables isn't enough to prevent hackers from accessing the machine
Surricata helps as a clunky HIPS, but it's easy to bypass if you know how... (I wish Comodo was here)

I want to simply redirect the WAN MAC through a virtual namespace so that when said hacker does bypass surricata, they won't be able to touch the machine, at least not directly anyways, where I should be able to identify and prevent the LAN intrusion or system corruption myself as the hacker blindly probes through my dynamic maze...

I'll admit I haven't thought every last little thing through, I'm only human after all, but in some cases, Windows has better security than Linux
despite the fact a lot of that security is pointless due to Windows being swiss cheese, unlike Linux

Comodo HIPS would work much better on Linux than Windows, and do a much better job than Surricata, if only it were available... u.u

I'll disagree. You are trying to create a security appliance. But you are at the beginning of your work on this.

About https://suricata-ids.org/news/ . See if they have a mailing list and start going to those virtual seminars.

At some point you will be able to document the exploit you seem to be eluding to and they will log it as a bug to be fixed.

so you're not going to tell me how to link a MAC address to a network namespace??

EDIT:
I did some research after learning a few things, and it looks like this may be the command I was asking for:

ip link add link eth0 address 00:11:11:11:11:11 eth0.1 type macvlan

I can't since you are the one that has to code this up at the lower levels of your selected OS. It appears you don't want to use the IP stack in the OS so you get to create your own as you see fit.

Think of it as if you are a God. I can't tell you what to create as you are creating something new.

Another issue is what I've read so far is something I see our network programmers tackled after years of writing network code. So there's a long of work ahead of you in the design of your replacement network stacks and then coding.

my network protocol is not the current issue
I'm working on that offline with a local network of at least 5 minions (weak machines) and a basic router
and I know it's gonna take a while as I learn, but thanks

the current issue is the command I'm asking for, which might be what I've edited my previous post with.

I see your edit and don't see how that will attain your goals (which admittedly are a bit strewn about this discussion.)

If you feel the ip command will suffice, then it will.

all I'm asking for is how to protect my router
I've already stated I want to use TCP/IP there, but wrapped in a way that keeps things relatively secure
I think you got things confused with earlier issues and brought up my network protocol when you talked about me building my own environment, which I responded that now was not the right time

yeah I'm not coding anything for my router, I just want to set it up in a way that can do an excellent job of keeping out intruders.

as for the surricata issue, if you use DoH, surricata can't detect intrusions...
it's a well known issue that nobody's working on, so the workaround is mainly using a pi-hole in front of everything.

I could probably do one better with surricata running behind a top-level DoH agent in another linked virtual namespace, but even then things are still questionable...

OK, let's pivot to "protection."

Think about packets. Let's say some nasty packets come at your router. The router itself is going to have to stand up to that or we have to call that a bad router.

Also we need to shutdown as much as possible in some routers. No "servers" there so all a router needs to do (understatement) is to route packets to the devices on the other side. NOW this can get interesting as for decades at the office this has never been a problem since any probing fails since unsolicited packets are dropped. Any server is hardened by dropping any packets to ports that are not mapped. I take it you have a good grasp on the IP operation in say Linux. So what's left?

right, that's kinda what surricata is supposed to help with (detecting those bad packets)
cause a router with no open ports is absolutely useless
the problem is those open ports (eg: 80 or 53) are also attack vectors to (at worst) control the router from
so basically I want to virtualize surricata within netns before a rat-maze of dynamics that would finally lead to a NAT layer

I'm not sure if I want to have the router machine itself accessible through that NAT, or have it be accessible through a dedicated address within the dynamics.

but either way, yes I do want to host a few frontward/forwarding servers for crypto and email behind all that
(the data on those servers would be immediately deleted as it would be transferred to hidden servers on my LAN, so the worst a hacker could do is burn some sacrificial relays)
that's all my work there, I'm not asking for help :)

the only thing I'm asking for help with in this entire thread is setting up the virtualization (not so much netns as I have a video for that) and linking it to a MAC with no IP... which I think that above command does, but I just need verification on.

when it comes to knowledge, I'm not as knowledgeable about the commands to operate everything as I am about the general idea itself...
but I'm probably only anywhere between 30 to 60% knowledgeable overall with that being very spotty.
I'm not the best nerd, but I do at least know SOME things. ;)

I got a lot of understanding of things from (LMG) Anthony, and from another youtuber I'm not recalling who redid the wiring of large networks for businesses:
from this:

to this:

^ I know the results are likely different servers, but you get the idea...
I learned from trying to understand the setup itself (just for fun)

when you watch around 30 videos of this stuff while doing that fun for each,
you start to gain a general spotty understanding of how things work :P
but the rest is all experience from programming/hacking/cleaning.

EDIT: sorry if daniweb has a problem displaying the images, that's why I left the links above them :P

If I distill your last post, that rat maze needs more definition. Also you can't fix an exploit unless you have a deep understanding of the exploit. Caveat? Someone else fixed it and you are using their advice or patch (i.e. you are not fixing it.)

The router must be a good router. For example if you were to bring me a device with the Intel Puma chipset you would find me pointing to the recycle bin today. I have yet to read of a definitive fix for that. This is not an Internet Protocol exploit here.

If you do have an exploit you are trying to fix, I have always found it to have a name as well as open discussions on security forums. Here we are at a few back and forths and I don't see "the name."

it's something I haven't looked into yet that's supposed to make things more difficult for a hacker to breach my system if they should get past surricata.

I'm not too interested in fixing surricata myself as I both lack the knowledge and the will to start another project
hopefully someone else fixes things by the time I need to get it up and going, but I'm not looking into it right now...
I don't mind lending an easy hand though. :)

The router must be a good router.

lol honetly, at current, it's just a spare PC I had laying around with enough slots to give me 4 ethernet ports (1 of them being gigabit for WAN)
it's not very good off hand, in fact it's 32bit, so feel free to gain a few more wrinkles from cringing so hard... XD
if I don't get this running, then my subnet won't have internet at all until I can buy some decent hardware in around 6-8 years.
or get another lucky score from the trash or good will...
gotta love living with an inherited debt am I right? :P

if you wanna feel pain, my most powerful PC is a 64bit Pentium4 at 3.5GHz
my router is my second-most powerful desktop CPU, being also a (32bit) Pentium4 with 512MB cache at 2.8GHz (the first model that can do hyperthreading, but it's hardware disabled)
yes it hurts, but I'm used to it...

----------------------------------------------------------
but anyways, getting back to the issue... again
I guess I'll just go verify the command myself to figure out how it works and see if it's what I actually need
was hoping I could get information sooner than I could find it because DDG usually sucks at giving relevant info...
but you keep diverting to things after the issue and haven't attempted to answer the original question once :/

if my thoughts are correct, the virtual interface should restrict sideways access (skirting around the interface to access the machine) and redirect all access straight through the virtual IP, which should be contained, right??

I don't have an IP applied to the adapter, and I'm not writing something that handles the MAC
at a quick glance this command seems to do what I want, but I'm not entirely sure:
ip link add link eth0 address 00:11:11:11:11:11 eth0.1 type macvlan
if my thoughts are correct and this applies the virtual netns name eth0.1 to the MAC address at 00:11:11:11:11:11 with the interface macvlan??
assuming the MAC has no actual IP associated with it...

if it's right, then this should provide me the tunnel I need to ensure all traffic goes through and references the virtual IP (eg: from eth0.1)
whatever the hacker does in here (no restrictions) should be contained and my system should be safe, right??

Have to answer no. In decades I have not found what you seem to be presenting as a panacea. Why? "Dave."
You can see dave at https://www.reddit.com/r/iiiiiiitttttttttttt/comments/7crx0b/it_security_vs_dave/
Copy follows from source:

Now Dave is not only the user but any app, stack, operating system etc.

Back to surricata. If you feel it's broken, report that bug.

lmao, bruh can we please rule out human error as a factor in this mess XD
what good is the progress on the implementation if you automatically rule it out just because some badly written software or configuration defeats it? :)
isn't it important enough the implementation actually does it's job regardless of what human error there is??

it's my choice if I want to defeat my implementation with human error and use something like Discord or SSH, and I should be given that freedom
shouldn't it matter enough that the implementation the human error software is allowed through actually functions like it's supposed to?? :)

as for surricata, I'm not too worried about what's broken as there are workarounds for it if I really need them
most DNS functionality is still unencrypted, so surricata should function properly here for the most part
and any encrypted functionality is still primarily centralized around google or cloudflare, which I no longer use due to their increasing unreliability.
(google was unreliable from the start as it's a spyware utility)

by the time DoH because more common than just cloudflare, surricata should hopefully have fixed it's issue
until then, I'm fine with using either a good VPN or Tor for sensitive stuff

Rule out human error? No can do. So far all this code has been written by humans.

Also, from what I can distill from your posts is you have found an exploit or whatever you wish to call it. Report that now or they won't know to work on a fix or tell us how to mitigate.

I've told you already it's a well known issue and isn't being fixed afaik... :/

anyways, I found out what that command did, and no it's not what I want, though it does help
it creates a virtual mac address with a vlan name, so that actually answers 1 question that was kinda asked if you remember (virtual?)
so I now have a virtual adapter bunking on the physical adapter I can change at will if I need to :D

I'd say thanks but you never provided me that info... :/
Stack Exchange beat you here :P

buuuut I still need to link that to a netns to contain any potential threats

I missed where you shared the bug/issue report for surricata or such. I worry this is:

1. Not reported in the bug pages.
2. That you may have gone down the Chicken Little "sky is falling" rabbit hole.

That said, I don't run surricata or had to do anything like you noted and our office has been fine for decades. We run Linux, Windows and until recently an few machines and phones on Apple OSes. Just programmers with some of us having written router code long and me? A few projects on proprietary almost IP networks but not since they wanted a secure LAN.

I'm not disputing your work, you probably were never hacked just cause you've never been a target... idk
in fact it's that very work that's been the reason I've been respecting you as much as possible here. ;)

but you can't use "I've never been hacked so therefore I'm secure" as backup...
this is something I tell people on YT and LBRY all the time, just cause you haven't been hacked doesn't mean you can't be hacked.
just cause you're not a target doesn't mean you can avoid becoming one.
the question is really how easy it'll be to hack into your network when you become a target, and you can't say you won't become one.
(if you have a device connected to the network, that device is and will always be a target one way or another)

btw, I'm not trying to go the extreme route, sure I'm probably going overboard...
but my take on it is it's better to have and not need than need and not have
I'm aware this is probably quite controvercial regarding a lot of the practices going on in networking. :P

can't be hacked

There it is. As it stands today nothing is bulletproof. However we did take time to secure our systems which IMO leads to zero breaches unless you count some spyware that well, we spotted in seconds and mitigated the hell out of.

Today I'm also encountering folk that call any version of Windows a security breach, spyware or something else. They are free to make such a stance but then you find them running Windows, an Apple OS, Android and not some secure or better secured OS.

In closing, when I do make a setup secure as possible the user balks because things like Yahoo and Facebook don't work.

I never once said I'm making my router unhackable, never even insinuated, cause that's not possible ;)
what you CAN do instead is to make the path to hacking it SO complicated that it takes the hacker 1000+ lifetimes to get past it
if you make that path so difficult that the world population meets mass extinction 100+ times over before it's cracked, that's when you can even start to claim something is unhackable ;)

I know what true security is very well, and that's why I'm working on replacing TCP/IP with such a protocol that secures communication much better than HTTPS ;)
but that doesn't apply to the current issue :)

all I need to do here is figure out the proper commands to creating a V-MAC, linking that up to a netns, and forwarding the public IP from the netns
that's when I can start setting up surricata and such in the netns container.

so far, this is what I've got, but it doesn't work yet:

ip link add link enp1 address 00:11:11:11:11:11 enp1.1 type macvlan
ip netns add ns1
ip link add eth0 type veth peer name enp1.1
ip link set netns ns1 eth0
ip netns exec ns1 ifconfig eth0 hw ether 00:22:22:22:22:22

I'm having a problem with eth0 because apparently it thinks it's a physical adapter and errors out
the joys of following info from StackExchange :P
note that all names and MACs here are fake because I'm not giving away real information ;)

EDIT:

Today I'm also encountering folk that call any version of Windows a security breach, spyware or something else. They are free to make such a stance but then you find them running Windows, an Apple OS, Android and not some secure or better secured OS.

trust me, I deal with these people all the time, and they indeed drive me crazy
"oh Discord is insecure, so I'll just use Skype"
"oh Facebook is bad, so I'll just use Twitter"
"oh Windows is bad, but I'm fine with it"

I hear you. Now let me present our long standing method for a nice secure device or platform. What I'll write next is a basic idea and not all that we can do but the premise is so simple and has saved us from working harder than most. Ready?

We disable any service/server that is not required. This limits the attack vectors to only what remains. I know the beginners find this step incredibly hard since they are asked to learn what their server is doing along with "what does the tapioca service do?"

So much of the past exploits depended on your devices to be in their default config that when you stop all those services the attacker is not getting responses from your machine.

That still leaves us with denial of service attacks but that's usually handled in your router or ISP levels. ISPs work to mitigate DOS attacks since it chews up their bandwidth.

Sure there's more but I see I didn't lead with what we find to be the most effective first step.

We disable any service/server that is not required.

ah ok, yep absolutely, that's why I use Void Linux (network install), because there's such a small amount of things running by default
plus runit is soooooooo much better than systemd because it's just so simple
Void does have dracut which does serve to emulate SOME systemd functionality (networking not included, but can be installed)

but anyways, then there's lxdm as well, chosen because it's incapable of running a network video server (so I've been told)

the more I disable, the less RAM I use, which is good because I only have 2GB NB-max on the thing :P
(I have another board I'm working on replacing the caps of that supports 4GB max dual-channel, which I hope to use)

the first things I always do is disable SSH and delete the dhcpcd service
(the last thing I ever used SSH for was SparkleShare for GitLab sync a while back, but I no longer use that because SSH is insecure)
^ SSH is good for isolated networks, mainly for server clusters

I'm sure if there's more I could do though, I'm not sure entirely what interfaces/sockets are actually needed to keep things running

also I don't have pulseaudio because audio servers are dumb
I do have alsa utils installed as well as as QasMixer in case I end up needing audio output for some reason or whatever

but back on topic though
for some good news, $ arp is completely blank, so I know I'm starting fresh :)

this is one reason you hear me complain about processses with IPC using sockets instead of pipes... heh
pipes are much harder to probe as you need RAM access rather than network access

I'm actually a bit disappointed you didn't list off more there I could follow... lol
unless this is where you listed something earlier that I may not've caught on to >.>