Differences

This shows you the differences between two versions of the page.

Link to this comparison view

en:ressources:articles:sudo_rtorrent [2011/07/10 13:52] (current)
Line 1: Line 1:
 +====== Sudo rtorrent for netfilter match ======
 +
 +{{tag>​rtorrent debian networking netfilter iptables}}
 +
 +I use **rtorrent** as a torrent downloader. The application runs on a server in a screen virtual tty. My only problem with this great tools is that it's difficult to identify the flows created by the torrent protocol to match them with netfilter/​iptables.
 +I then choose to launch rtorrent under its own user, using **sudo** from my own user account, and then use the **netfilter xt_owner** module to match the connections based on the userid that owns the socket.
 +
 +===== Set sudo =====
 +
 +I want user //julien// to be allowed to launch command **rtorrent** under user //​rtorrent//​. By default, this is forbidden and only root can launch a command like //su rtorrent -c '​rtorrent'//​.
 +
 +So, to allow //julien// to do this, we add the following line in **/​etc/​sudoers** (make sure you have sudo package installed).
 +
 +<​code>​
 +
 +julien ALL=(rtorrent) NOPASSWD: /​usr/​bin/​rtorrent
 +
 +</​code>​
 +
 +Explanation:​
 +  * **julien** is the user the rule apply to
 +  * **ALL** means this command is available on ALL computers (not only localhost)
 +  * **(rtorrent)** is the user the following command will be run as
 +  * **NOPASSWD** means //julien// will not be asked any password to launch this command
 +  * **/​usr/​bin/​rtorrent** is the command itself
 +
 +===== Change the permission =====
 +
 +This is **rtorrent** configuration (I'm not going to describe this here). Just make sure that the user //​rtorrent//​ has access to the rtorrent folder, and its subfolders.
 +
 +<​code>​
 +
 +# chown rtorrent /​data/​rtorrent -R
 +
 +</​code>​
 +
 +===== Launch rtorrent =====
 +
 +Now, as user //julien// logged on the system, launch the following:
 +
 +<​code>​
 +
 +julien@localhost:/​$ cd /​data/​rtorrent
 +
 +julien@localhost:/​data/​rtorrent$ screen -S rtorrent
 +
 +[[[ NEW SCREEN CREATED ]]]
 +
 +julien@localhost:/​data/​rtorrent$ sudo -u rtorrent /​usr/​bin/​rtorrent
 +
 +
 +[[[ EXIT SCREEN USING ctrl-a + ctrl-d ]]]
 +
 +</​code>​
 +
 +
 +Check processes list :
 +
 +<​code>​
 +
 +julien@localhost:/​$ ps -edf|grep rtorrent
 +
 +julien ​   7987     ​1 ​ 0 Oct12 ?        00:00:14 SCREEN -S rtorrent
 +
 +rtorrent 24288  7988 13 11:06 pts/3    00:00:01 /​usr/​bin/​rtorrent
 +
 +</​code>​
 +
 +As you see, rtorrent is launched under its own user.
 +
 +===== Netfilter configuration =====
 +
 +The **xt_owner** module of netfilter will allow us to check every connection that is owned by user //​rtorrent//​.
 +
 +We will then mark these connections using connmark.
 +
 +<​code>​
 +
 +# iptables -t mangle -o eth0 -A OUTPUT -p tcp --tcp-flags SYN SYN -m owner \
 +--uid-owner 1014 -j CONNMARK --set-mark 123
 +
 +# iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
 +
 +</​code>​
 +
 +In the first rule, we match every tcp packet that has the SYN flag set (thus, we match SYN and SYN/ACK packets) and that is owned by uid 1014 (which is rtorrent'​s uid, check /​etc/​passwd). The packets that match this rule have their **mark** field (in sk_buff) set at 123.
 +
 +In the second rule, we restore the mark applied to one packet to all the packets of a connection. Thus, all the connections that have their SYN or SYN/ACK packets marked by the previous rule will receive the 123 mark.
 +
 +To control that this rule is applied, do a **grep** in **/​proc/​net/​ip_conntrak** as follow :
 +
 +<​code>​
 +
 +# grep '​mark=123'​ /​proc/​net/​ip_conntrack
 +
 +</​code>​
 +
 +You can then use this mark to shape traffic, like with tc for example.
 +
  
en/ressources/articles/sudo_rtorrent.txt ยท Last modified: 2011/07/10 13:52 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0