Recently I faced an issue with rate limiting of some remote service. I was sending more requested to that endpoint than allowed and therefore I’ve received errors messages when being beyond the limit.
Luckily the hoster of my linux client box does provide multiple IP addresses for that machine. By splitting the work into multiple processes and assigning different IP addresses to those processes I was able to prevent the rate limiting issues.
To use those addresses I had to explicitly configure them in addition to the the standard DHCP one. I’ve amended them to
/etc/netplan/01-netcfg.yaml (obviously these are not the real ip numbers):
network: version: 2 renderer: networkd ethernets: eno1: dhcp4: yes addresses: - 18.104.22.168/24 - 22.214.171.124/24
Still any outgoing netwerk connection uses the default IP address. This can be tweaked using a combination on cgroups and iptables. cgroups are part of Linux since ages and allow to isolate and constrain resources for a given process, something e.g. Docker makes heavily use of. For convience I’ve installed
apt install cgroup-tools, see https://github.com/mk-fg/cgroup-tools.
First we create a network classifier cgroup for each ip address we have. Those network classifier groups allow to tag each packet with an identifier (
net_cls.classid) that can be evaluated later using iptables:
cgcreate -g net_cls:/sourceip/1 cgcreate -g net_cls:/sourceip/2 cgcreate -g net_cls:/sourceip/3 cgset -r net_cls.classid=0x100001 /sourceip/1 cgset -r net_cls.classid=0x100002 /sourceip/2 cgset -r net_cls.classid=0x100003 /sourceip/3
Using iptables we add rules to POSTROUTING since this allows to modify the packet and set its source IP address using the SNAT target:
iptables -t nat -A POSTROUTING -o eno1 -m cgroup --cgroup 0x100001 -j SNAT --to-source 126.96.36.199 iptables -t nat -A POSTROUTING -o eno1 -m cgroup --cgroup 0x100002 -j SNAT --to-source 188.8.131.52 iptables -t nat -A POSTROUTING -o eno1 -m cgroup --cgroup 0x100003 -j SNAT --to-source 184.108.40.206
To force a given command to use a specific IP address we wrap the command in a
cgexec call. The following example will use source ip 220.127.116.11 when pinging to www.heise.de:
cgexec -g net_cls:/sourceip/3 ping www.heise.de