[GH-ISSUE #3269] --netns= traffic does not go over socks5 ssh tunnel #2050

New issue

Open

opened 2026-05-05 08:43:23 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 08:43:23 -06:00

Owner

Originally created by @rogueknight1137 on GitHub (Mar 7, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3269

I have an Ubuntu 18.04 server in which I've created two virtual interface pairs (veth0a & veth0b) and assigned the end of one interface (veth0b) to a new network namespace (netns0):

ip netns add netns0
ip netns exec netns0 ip link set lo up
ip link add veth0a type veth peer name veth0b
ip link set veth0b netns netns0

I then used firejail to force a specific user (test-user) to use this new namespace by default by setting /usr/bin/firejail as the default shell for this user and by adding the following to the /etc/firejail/login.users file:

test-user: --netns=netns0

I've ran the following test to make sure this works:

Run tshark -i veth0a -f "port 443" from the root account
SSH into the server as test-user
Run curl https://1.1.1.1 as SSH user

The tshark output shows the proper veth0b source IP address for the 1.1.1.1 traffic.

The issue I'm running into is when trying to use the test-user account to establish socks5 dynamic port forwarding over SSH:

ssh -D 10000 -q -C -N test-user@server_ip

Running this command from my laptop or workstation allows me to establish a local socks5 server on port 1000 and tunnel it over the SSH connection. Setting this as my local socks5 proxy and going to https://api.ipify.org demonstrates that the proxy is working and that my laptop is using the server's IP address.

The issue is that the sock5 traffic does not appear to be going through the proper namespace. In other words, while browsing the web on my laptop while connected to the socks5 server over the test-user ssh connection my traffic does not appear in tshark -i veth0a.

Originally created by @rogueknight1137 on GitHub (Mar 7, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3269 I have an Ubuntu 18.04 server in which I've created two virtual interface pairs (veth0a & veth0b) and assigned the end of one interface (veth0b) to a new network namespace (netns0): ip netns add netns0 ip netns exec netns0 ip link set lo up ip link add veth0a type veth peer name veth0b ip link set veth0b netns netns0 I then used firejail to force a specific user (test-user) to use this new namespace by default by setting `/usr/bin/firejail` as the default shell for this user and by adding the following to the `/etc/firejail/login.users` file: test-user: --netns=netns0 I've ran the following test to make sure this works: 1. Run `tshark -i veth0a -f "port 443"` from the root account 2. SSH into the server as test-user 3. Run `curl https://1.1.1.1` as SSH user The tshark output shows the proper veth0b source IP address for the 1.1.1.1 traffic. The issue I'm running into is when trying to use the test-user account to establish socks5 dynamic port forwarding over SSH: ssh -D 10000 -q -C -N test-user@server_ip Running this command from my laptop or workstation allows me to establish a local socks5 server on port 1000 and tunnel it over the SSH connection. Setting this as my local socks5 proxy and going to `https://api.ipify.org` demonstrates that the proxy is working and that my laptop is using the server's IP address. The issue is that the sock5 traffic does not appear to be going through the proper namespace. In other words, while browsing the web on my laptop while connected to the socks5 server over the test-user ssh connection my traffic does not appear in tshark -i veth0a.

gitea-mirror added the

networking

label 2026-05-05 08:43:23 -06:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2050

No description provided.

Rows
Columns