Sudo rtorrent for netfilter match

rtorrent debian networking netfilter iptables

I use rtorrent as a torrent downloader. The application runs on a server in a screen virtual tty. My only problem with this great tools is that it's difficult to identify the flows created by the torrent protocol to match them with netfilter/iptables. I then choose to launch rtorrent under its own user, using sudo from my own user account, and then use the netfilter xt_owner module to match the connections based on the userid that owns the socket.

I want user julien to be allowed to launch command rtorrent under user rtorrent. By default, this is forbidden and only root can launch a command like su rtorrent -c 'rtorrent'.

So, to allow julien to do this, we add the following line in /etc/sudoers (make sure you have sudo package installed).

julien ALL=(rtorrent) NOPASSWD: /usr/bin/rtorrent

Explanation:

• julien is the user the rule apply to
• ALL means this command is available on ALL computers (not only localhost)
• (rtorrent) is the user the following command will be run as
• NOPASSWD means julien will not be asked any password to launch this command
• /usr/bin/rtorrent is the command itself

This is rtorrent configuration (I'm not going to describe this here). Just make sure that the user rtorrent has access to the rtorrent folder, and its subfolders.

# chown rtorrent /data/rtorrent -R

Now, as user julien logged on the system, launch the following:

julien@localhost:/$ cd /data/rtorrent

julien@localhost:/data/rtorrent$ screen -S rtorrent

[[[ NEW SCREEN CREATED ]]]

julien@localhost:/data/rtorrent$ sudo -u rtorrent /usr/bin/rtorrent


[[[ EXIT SCREEN USING ctrl-a + ctrl-d ]]]

Check processes list :

julien@localhost:/$ ps -edf|grep rtorrent

julien    7987     1  0 Oct12 ?        00:00:14 SCREEN -S rtorrent

rtorrent 24288  7988 13 11:06 pts/3    00:00:01 /usr/bin/rtorrent

As you see, rtorrent is launched under its own user.

The xt_owner module of netfilter will allow us to check every connection that is owned by user rtorrent.

We will then mark these connections using connmark.

# iptables -t mangle -o eth0 -A OUTPUT -p tcp --tcp-flags SYN SYN -m owner \
--uid-owner 1014 -j CONNMARK --set-mark 123

# iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

In the first rule, we match every tcp packet that has the SYN flag set (thus, we match SYN and SYN/ACK packets) and that is owned by uid 1014 (which is rtorrent's uid, check /etc/passwd). The packets that match this rule have their mark field (in sk_buff) set at 123.

In the second rule, we restore the mark applied to one packet to all the packets of a connection. Thus, all the connections that have their SYN or SYN/ACK packets marked by the previous rule will receive the 123 mark.

To control that this rule is applied, do a grep in /proc/net/ip_conntrak as follow :

# grep 'mark=123' /proc/net/ip_conntrack

You can then use this mark to shape traffic, like with tc for example.