choosing bewteen source ip addresses

Recently I faced an issue with rate limiting of some remote service. I was sending more requested to that endpoint than allowed and therefore I’ve received errors messages when being beyond the limit.

Luckily the hoster of my linux client box does provide multiple IP addresses for that machine. By splitting the work into multiple processes and assigning different IP addresses to those processes I was able to prevent the rate limiting issues.

To use those addresses I had to explicitly configure them in addition to the the standard DHCP one. I’ve amended them to /etc/netplan/01-netcfg.yaml (obviously these are not the real ip numbers):

  version: 2
  renderer: networkd
      dhcp4: yes

Still any outgoing netwerk connection uses the default IP address. This can be tweaked using a combination on cgroups and iptables. cgroups are part of Linux since ages and allow to isolate and constrain resources for a given process, something e.g. Docker makes heavily use of. For convience I’ve installed apt install cgroup-tools, see

First we create a network classifier cgroup for each ip address we have. Those network classifier groups allow to tag each packet with an identifier (net_cls.classid) that can be evaluated later using iptables:

cgcreate -g net_cls:/sourceip/1
cgcreate -g net_cls:/sourceip/2
cgcreate -g net_cls:/sourceip/3

cgset -r net_cls.classid=0x100001 /sourceip/1
cgset -r net_cls.classid=0x100002 /sourceip/2
cgset -r net_cls.classid=0x100003 /sourceip/3

Using iptables we add rules to POSTROUTING since this allows to modify the packet and set its source IP address using the SNAT target:

iptables -t nat -A POSTROUTING -o eno1 -m cgroup --cgroup 0x100001 -j SNAT --to-source
iptables -t nat -A POSTROUTING -o eno1 -m cgroup --cgroup 0x100002 -j SNAT --to-source
iptables -t nat -A POSTROUTING -o eno1 -m cgroup --cgroup 0x100003 -j SNAT --to-source

To force a given command to use a specific IP address we wrap the command in a cgexec call. The following example will use source ip when pinging to

cgexec -g net_cls:/sourceip/3 ping


WiFi at Deutsche Bahn + Ubuntu + Docker == trouble

Recently Deutsche Bahn started wifi for everyone travelling with a ICE. So far I had trips where it just worked great, on other trips I could not even connect – not on mobile phone nor on my laptop.

Today it was different

We have great signal strength, wifi on my phone works like a charm. Connecting to the wifi works nicely on the laptop as well. But I cannot connect to the login page for accepting t&c.

What happened – the analysis

I have a Thinkpad X1 Yoga laptop running Ubuntu 16.04. Among a gazillion of other packages docker is installed – mostly for dealing with lots of neo4j databases (of course ;-). The wifi (SSID: WIFIOnICE) itself is not authenticated but upon accessing the first webpage you get redirected to URL Here I got a “cannot connect” error message in the browser. DNS lookups however worked fine – on couple of other WIFI issues DNS is a common culprit. Using dig I’ve learned that this hostname resolves to IP address Next to check are the routing tables:

stefan@x1 ➜  sudo route -n
Ziel Router Genmask Flags Metric Ref Use Iface UG 600 0 0 wlp4s0 U 1000 0 0 br-034d1e2af367 U 600 0 0 wlp4s0 U 0 0 0 docker0 U 0 0 0 br-034d1e2af367

Interesting, packages to are routed to a weird interface called br-034d1e2af367 and are therefore not set via the wifi device. This finding justifies a loud WTF! This bridge interface is established by docker. Since I’m just a docker user without deep understanding of its internals I cannot really explain its exact purpose. But I don’t have to 😉

the workaround

It’s good enough to just disable the bridge network interface while doing the wifi authentication:

ihtsudo ifconfig br-034d1e2af367 down
open in your webbrowser and press the "go online" button
sudo ifconfig br-034d1e2af367 up

After that operation I could use the internet on a ICE train without hassle.

a more elegant solution

Don’t have this one yet. I seems you can tweak the bridge’s IP number using --bip <CIDR> upon docker startup. But I couldn’t find out the details for now. Happy to read your helpful comments here.

finally {}

This post is mainly intended as a self-reminder for future train trips. If it’s helpful to others as well I’m more than happy. As a reference I’ve posted this in German language to a question on a forum of Deutsch Bahn as well.