I use rtorrent as a torrent downloader. The application runs on a server in a screen virtual tty. My only problem with this great tools is that it's difficult to identify the flows created by the torrent protocol to match them with netfilter/iptables. I then choose to launch rtorrent under its own user, using sudo from my own user account, and then use the netfilter xt_owner module to match the connections based on the userid that owns the socket.
I want user julien to be allowed to launch command rtorrent under user rtorrent. By default, this is forbidden and only root can launch a command like su rtorrent -c 'rtorrent'.
So, to allow julien to do this, we add the following line in /etc/sudoers (make sure you have sudo package installed).
julien ALL=(rtorrent) NOPASSWD: /usr/bin/rtorrent
This is rtorrent configuration (I'm not going to describe this here). Just make sure that the user rtorrent has access to the rtorrent folder, and its subfolders.
# chown rtorrent /data/rtorrent -R
Now, as user julien logged on the system, launch the following:
julien@localhost:/$ cd /data/rtorrent julien@localhost:/data/rtorrent$ screen -S rtorrent [[[ NEW SCREEN CREATED ]]] julien@localhost:/data/rtorrent$ sudo -u rtorrent /usr/bin/rtorrent [[[ EXIT SCREEN USING ctrl-a + ctrl-d ]]]
Check processes list :
julien@localhost:/$ ps -edf|grep rtorrent julien 7987 1 0 Oct12 ? 00:00:14 SCREEN -S rtorrent rtorrent 24288 7988 13 11:06 pts/3 00:00:01 /usr/bin/rtorrent
As you see, rtorrent is launched under its own user.
The xt_owner module of netfilter will allow us to check every connection that is owned by user rtorrent.
We will then mark these connections using connmark.
# iptables -t mangle -o eth0 -A OUTPUT -p tcp --tcp-flags SYN SYN -m owner \ --uid-owner 1014 -j CONNMARK --set-mark 123 # iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
In the first rule, we match every tcp packet that has the SYN flag set (thus, we match SYN and SYN/ACK packets) and that is owned by uid 1014 (which is rtorrent's uid, check /etc/passwd). The packets that match this rule have their mark field (in sk_buff) set at 123.
In the second rule, we restore the mark applied to one packet to all the packets of a connection. Thus, all the connections that have their SYN or SYN/ACK packets marked by the previous rule will receive the 123 mark.
To control that this rule is applied, do a grep in /proc/net/ip_conntrak as follow :
# grep 'mark=123' /proc/net/ip_conntrack
You can then use this mark to shape traffic, like with tc for example.