====== Sudo rtorrent for netfilter match ======

{{tag>rtorrent debian networking netfilter iptables}}

I use **rtorrent** as a torrent downloader. The application runs on a server in a screen virtual tty. My only problem with this great tools is that it's difficult to identify the flows created by the torrent protocol to match them with netfilter/iptables.
I then choose to launch rtorrent under its own user, using **sudo** from my own user account, and then use the **netfilter xt_owner** module to match the connections based on the userid that owns the socket.

===== Set sudo =====

I want user //julien// to be allowed to launch command **rtorrent** under user //rtorrent//. By default, this is forbidden and only root can launch a command like //su rtorrent -c 'rtorrent'//.

So, to allow //julien// to do this, we add the following line in **/etc/sudoers** (make sure you have sudo package installed).

<code>

julien ALL=(rtorrent) NOPASSWD: /usr/bin/rtorrent

</code>

Explanation:
  * **julien** is the user the rule apply to
  * **ALL** means this command is available on ALL computers (not only localhost)
  * **(rtorrent)** is the user the following command will be run as
  * **NOPASSWD** means //julien// will not be asked any password to launch this command
  * **/usr/bin/rtorrent** is the command itself

===== Change the permission =====

This is **rtorrent** configuration (I'm not going to describe this here). Just make sure that the user //rtorrent// has access to the rtorrent folder, and its subfolders.

<code>

# chown rtorrent /data/rtorrent -R

</code>

===== Launch rtorrent =====

Now, as user //julien// logged on the system, launch the following:

<code>

julien@localhost:/$ cd /data/rtorrent

julien@localhost:/data/rtorrent$ screen -S rtorrent

[[[ NEW SCREEN CREATED ]]]

julien@localhost:/data/rtorrent$ sudo -u rtorrent /usr/bin/rtorrent


[[[ EXIT SCREEN USING ctrl-a + ctrl-d ]]]

</code>


Check processes list :

<code>

julien@localhost:/$ ps -edf|grep rtorrent

julien    7987     1  0 Oct12 ?        00:00:14 SCREEN -S rtorrent

rtorrent 24288  7988 13 11:06 pts/3    00:00:01 /usr/bin/rtorrent

</code>

As you see, rtorrent is launched under its own user.

===== Netfilter configuration =====

The **xt_owner** module of netfilter will allow us to check every connection that is owned by user //rtorrent//.

We will then mark these connections using connmark.

<code>

# iptables -t mangle -o eth0 -A OUTPUT -p tcp --tcp-flags SYN SYN -m owner \
--uid-owner 1014 -j CONNMARK --set-mark 123

# iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

</code>

In the first rule, we match every tcp packet that has the SYN flag set (thus, we match SYN and SYN/ACK packets) and that is owned by uid 1014 (which is rtorrent's uid, check /etc/passwd). The packets that match this rule have their **mark** field (in sk_buff) set at 123.

In the second rule, we restore the mark applied to one packet to all the packets of a connection. Thus, all the connections that have their SYN or SYN/ACK packets marked by the previous rule will receive the 123 mark.

To control that this rule is applied, do a **grep** in **/proc/net/ip_conntrak** as follow :

<code>

# grep 'mark=123' /proc/net/ip_conntrack

</code>

You can then use this mark to shape traffic, like with tc for example.