choosing bewteen source ip addresses

Recently I faced an issue with rate limiting of some remote service. I was sending more requested to that endpoint than allowed and therefore I’ve received errors messages when being beyond the limit.

Luckily the hoster of my linux client box does provide multiple IP addresses for that machine. By splitting the work into multiple processes and assigning different IP addresses to those processes I was able to prevent the rate limiting issues.

To use those addresses I had to explicitly configure them in addition to the the standard DHCP one. I’ve amended them to /etc/netplan/01-netcfg.yaml (obviously these are not the real ip numbers):

  version: 2
  renderer: networkd
      dhcp4: yes

Still any outgoing netwerk connection uses the default IP address. This can be tweaked using a combination on cgroups and iptables. cgroups are part of Linux since ages and allow to isolate and constrain resources for a given process, something e.g. Docker makes heavily use of. For convience I’ve installed apt install cgroup-tools, see

First we create a network classifier cgroup for each ip address we have. Those network classifier groups allow to tag each packet with an identifier (net_cls.classid) that can be evaluated later using iptables:

cgcreate -g net_cls:/sourceip/1
cgcreate -g net_cls:/sourceip/2
cgcreate -g net_cls:/sourceip/3

cgset -r net_cls.classid=0x100001 /sourceip/1
cgset -r net_cls.classid=0x100002 /sourceip/2
cgset -r net_cls.classid=0x100003 /sourceip/3

Using iptables we add rules to POSTROUTING since this allows to modify the packet and set its source IP address using the SNAT target:

iptables -t nat -A POSTROUTING -o eno1 -m cgroup --cgroup 0x100001 -j SNAT --to-source
iptables -t nat -A POSTROUTING -o eno1 -m cgroup --cgroup 0x100002 -j SNAT --to-source
iptables -t nat -A POSTROUTING -o eno1 -m cgroup --cgroup 0x100003 -j SNAT --to-source

To force a given command to use a specific IP address we wrap the command in a cgexec call. The following example will use source ip when pinging to

cgexec -g net_cls:/sourceip/3 ping


Using Nginx to proxy a Neo4j instance

There are cases when you want to access your Neo4j instance remotely and you live in an environment where direct access is not possible. This might be caused by technical or organizational restrictions.

One generic solution to this kind of problems is using a VPN. Another alternative to be discussed in this blog post is using a reverse proxy server. I want to show how you can proxy Neo4j using Nginx.


WiFi at Deutsche Bahn + Ubuntu + Docker == trouble

Recently Deutsche Bahn started wifi for everyone travelling with a ICE. So far I had trips where it just worked great, on other trips I could not even connect – not on mobile phone nor on my laptop.

Today it was different

We have great signal strength, wifi on my phone works like a charm. Connecting to the wifi works nicely on the laptop as well. But I cannot connect to the login page for accepting t&c.

What happened – the analysis

I have a Thinkpad X1 Yoga laptop running Ubuntu 16.04. Among a gazillion of other packages docker is installed – mostly for dealing with lots of neo4j databases (of course ;-). The wifi (SSID: WIFIOnICE) itself is not authenticated but upon accessing the first webpage you get redirected to URL Here I got a “cannot connect” error message in the browser. DNS lookups however worked fine – on couple of other WIFI issues DNS is a common culprit. Using dig I’ve learned that this hostname resolves to IP address Next to check are the routing tables:

stefan@x1 ➜  sudo route -n
Ziel Router Genmask Flags Metric Ref Use Iface UG 600 0 0 wlp4s0 U 1000 0 0 br-034d1e2af367 U 600 0 0 wlp4s0 U 0 0 0 docker0 U 0 0 0 br-034d1e2af367

Interesting, packages to are routed to a weird interface called br-034d1e2af367 and are therefore not set via the wifi device. This finding justifies a loud WTF! This bridge interface is established by docker. Since I’m just a docker user without deep understanding of its internals I cannot really explain its exact purpose. But I don’t have to 😉

the workaround

It’s good enough to just disable the bridge network interface while doing the wifi authentication:

ihtsudo ifconfig br-034d1e2af367 down
open in your webbrowser and press the "go online" button
sudo ifconfig br-034d1e2af367 up

After that operation I could use the internet on a ICE train without hassle.

a more elegant solution

Don’t have this one yet. I seems you can tweak the bridge’s IP number using --bip <CIDR> upon docker startup. But I couldn’t find out the details for now. Happy to read your helpful comments here.

finally {}

This post is mainly intended as a self-reminder for future train trips. If it’s helpful to others as well I’m more than happy. As a reference I’ve posted this in German language to a question on a forum of Deutsch Bahn as well.


quick tooling tip for hacking Cypher statements – Linux only

When developing Cypher statements for a Neo4j based application there are multiple ways to do this.

A lot of people (including myself) love the new Neo4j browser shipped with 2.0 and subsequent releases. This is a nicely built locally running web application running in your browser. At the top users can easily type their Cypher code and see results after executing, either in tabular form or as a visualization enabling to click through.

Neo4j 2.0 Browser

Another way is to use the command line and either go with neo4j-shell or use the REST interface by a command line client like cURL or more conveniently httpie (which I’ve previously blogged about).

Typically while building a Cypher statement you take a lot of cycles to hack a little bit, test if it runs, hack a little bit, test, …. This cycle can be improved by automating execution as soon as the file containing the cypher statement has hanged.

Linux comes with a kernel feature called inotify that reports file system changes to applications. On Ubuntu/Debian there is a package called inotify-hookable available offering a convenient way to set up tracking for a specific file or directory and take a action triggered by a change in the file/directory.

Assume you want to quickly develop a complex cypher statement in $HOME/myquery.cql. Set up monitoring using:

inotify-hookable -c ~/myquery.cql -c "(~/neo4j-enterprise-2.0.1/bin/neo4j-shell < ~/myquery.cql)"

Using your text editor of choice open $HOME/myquery.cql and change your code. After saving the statement will be automatically executed and you get instantly feedback.


MySQL backup script

I did some research on how to backup up a MySQL database on a regularly base. Finally I decided to use automysqlbackup. It’s a no-brainer. Just drop the script to /etc/cron.daily and configure the database settings and target directory. Very cool stuff!


Gnome and CTI (computer-telephone-integration)

On my desk, there’s a Siemens Gigaset SX353 connected to the desktop PC via USB. There’s a nice command line tool for managing the telephone, esp. dialing numbers is possible using

gigacontr --dev /dev/ttyGB0 --dial 1 <number> 10

Unfortunately when passing in a international number with the “+” notation, e.g. +49163123456 the phone will not use the “+”. This could be easily solved with a small python wrapper script

import sys, os
assert len(sys.argv)==2
device = "/dev/ttyGB0"
internal_number = "10"
command = "/usr/local/sbin/gigacontr --dev %s --dial 1 %s %s"
number = sys.argv[1]

number = number.replace("+", "00")
if len(number) > 8 and number[0:2]=='49':
	number = "00%s" % (number)

command = command % (device, number, internal_number)

Gnome supports configuring a handler for callto: URLs. Using gconf-editor modify the setting /desktop/gnome/url-handlers/callto/command must be set to

<path-to>/ %s

To use Thunderbird’s addressbook with this, enable in Tool | Additional Settings | Misc the option “insert callto: link for phonenumbers”. When viewing contact data, the phone numbers show up as links. When clicking the phone number, the phone dials that number. Cool!

Even cooler: For Firefox, there the wonderful Telify addon that finds phone number in webpages and converts them to links. Telify must be configured to use callto: URLs instead of the default tel: URLS.