[TUTORIAL] Creating a RuTorrent interface with redirection through Tor and FTP access

Post Reply
artoxxx
Posts: 14
Joined: Sat Sep 28, 2019 4:24 am
languages_spoken: english
ODROIDs: HC2
Has thanked: 0
Been thanked: 2 times
Contact:

[TUTORIAL] Creating a RuTorrent interface with redirection through Tor and FTP access

Unread post by artoxxx » Wed Oct 02, 2019 6:37 am

Creating a RuTorrent interface with redirection through Tor and FTP access

The objective is to create a web torrent interface (RuTorrent), redirect all the torrents trafic throught Tor (not the other trafic), and give a FTP access to downlad the Torrents.
You can find legal torrents websites links at the end of the topic.

What do you need ?
  • An Odroid HC2 (or HC1)
  • An USB-UART cable (sold by Hardkernel) because the OHC2 ( = Odroid Home Cloud 2) doesn't have any HDM output
  • A µSD card
  • A HDD (2.5 or 3.5)
  • A 2A 12V power supply
  • A RJ45 ethernet cable
Step 1 : Prepare the SD card
  • Download the Debian Netinstall image made by @tobetter there.
  • Flash it using Rufus or whatever you want on the SD card
Step 2 : First boot
  • Insert the SD card in the OHC2
  • Connect the ethernet cable to your router and to the OHC2 (or bridge the ethernet and wifi like me if you use a laptop)
  • Connect the USB-UART cable to the OHC2 and to your computer
  • Start listening on the serial port on your computer. I use MobaXterm but you can use Putty or Minicom
  • Be sure tu listen on the correct port. For exemple on Windows use the peripheral management tool and look the "Ports (COM & LPT). For me it's the COM3 at 115200 bauds
  • Connect the power supply
  • You should see the Debian installer
[ (1*installer) 2 shell 3 shell 4- log ][ Jan 01 0:02 ]

┌─────────┤ [!] Debian installer main menu ├─────────┐
│ │
│ Choose the next step in the install process: │
│ │
│ Choose language - │
│ Configure the keyboard 0 │
│ Detect network hardware ▒ │
│ Configure the network ▒ │
│ Choose a mirror of the Debian archive ▒ │
│ Download installer components ▒ │
│ Detect disks ▒ │
│ Partition disks ▒ │
│ Install the base system ▒ │
│ Make the system bootable ▒ │
│ Install U-boot on the uSD/eMMC ▒ │
│ Change debconf priority ▒ │
│ Save debug logs ▒ │
│ Execute a shell . │
│ │
└────────────────────────────────────────────────────┘

<Tab> moves; <Space> selects; <Enter> activates buttons
  • Choose the language > English > USA
  • Configure the network
    If like me you get some problems with the windows bridge :
    - Go to the Debian Installer Shell
    - Get an ip address in your LAN range :

    Code: Select all

    ip addr add 192.168.1.110/24 dev eth0
    - Set up the gw :

    Code: Select all

    ip route add default via 192.168.1.1 dev eth0
    - Verify that you have an ip address with the command

    Code: Select all

    ip addr
    - Verify that you have a default route with the command

    Code: Select all

    ip route
    - Try to disconnect and reconnect to the wifi
    - Try to disable and enable the network bridge
    - Check if the bridge is configured correctly and has an ip address
    - Finally you should be able to ping 8.8.8.8 in the shell
    - Go back to the installer menu and configure the network (type "exit")
  • Hostname > ohc2 or whatever you want
  • Domain > local or whatever you want
  • Select the mirror you want
  • Continue the install without loading kernel modules > yes
  • Configure the root password. I used the password "bonjour" and will change it after. Same for the user "user"
  • Select the timezone
  • Partition the discs MANUALLY
    We will put /boot on the SD card and the other partitions on the HDD.
    - Select "manual"
    - Remove the partitions for the SD card and the HDD
    - Select the SD card free space
    - Create a new partition
    - Change the size to 1GB (or whatever you want, but 1GB is clearly enough for the /boot partition and I use a 16GB SD card)
    - Select primary or logical, both will work
    - Use it as EXT4
    - Select /boot as mount point
    - Set the bootable flag to "on"
    - Select "Done setting up the partition"
    - [optional] use the remaining free space on the SD card to create a partition if you want. I don't need it so I don't do it
    - Select the free space of the HDD
    - Create a new partition
    - Chose 2 or 3 GB
    - Choose primary or logical
    - Select beginning as location
    - Use as swap area
    - Done setting up the partition
    - Select the remaining free space on the HDD
    - Create a partition
    - Accept the default partition size
    - Use as logical
    - Use as EXT4
    - Mount point : /
    - Choose primary or logical
    - Done setting up the partition
    - Finish partitioning and write changes to disc
    - Accept the partitioning (select yes)
  • Wait while the system is being installed (10 mins for me)
  • Select the kernel, choose : "linux-image-odroid-upstream"
  • Participate to the package survey if you want
  • For the software selection, just select "ssh server" and "standard system utilities", and select "continue". You can install a desktop environment and vnc server later if you want, but we don't actually need it
  • When the installation is complete, select "continue" to reboot
Step 3 : First connection
  • Still on the serial, connect as root and "bonjour" as password if you did like me
  • Change the root password
    I use Keepass and you should do the same. Your can download it here.
    - Add a new entry for the root user of the OHC2.
    - You should use a strong custom password like this : 3y;G@W$HTe$F9rxVdR[5`Mtm9E,}+7h7+FF<

    Code: Select all

    passwd root
    - Paste your password with the right click
    - Do the same for the user "user" we created on boot

    Code: Select all

    passwd user
  • Edit the source.list file

    Code: Select all

    nano /etc/apt/sources.list
    - ctrl + k to remove the lines
    - Paste the following with the right click

    Code: Select all

    deb http://deb.debian.org/debian buster main contrib non-free
    deb-src http://deb.debian.org/debian buster main contrib non-free
    
    deb http://deb.debian.org/debian-security/ buster/updates main contrib non-free
    deb-src http://deb.debian.org/debian-security/ buster/updates main contrib non-free
    
    deb http://deb.debian.org/debian buster-updates main contrib non-free
    deb-src http://deb.debian.org/debian buster-updates main contrib non-free
    
    - ctrl+x and enter to save
Step 3 : Configure the network
  • Get a static ip address
    - Edit the interfaces file
    - Identify your interface name

    Code: Select all

    ip addr
    You should get the following

    Code: Select all

    # ip addr
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
        link/sit 0.0.0.0 brd 0.0.0.0
    3: enx001e0632c19d: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 00:1e:06:32:c1:9d brd ff:ff:ff:ff:ff:ff
        inet6 fe80::21e:6ff:fe32:c19d/64 scope link
           valid_lft forever preferred_lft forever
    - As I can see, my RJ45 interface name is enx001e0632c19d

    Code: Select all

    nano /etc/network/interfaces
    - Remove the existing line (ctrl + k with nano)
    - Paste the following with right click or ctrl + maj + v
    - Please adapt this to your network ! Maybe you don't have the same netmask or network address ! Change also the interface name

    Code: Select all

    # This file describes the network interfaces available on your system
    # and how to activate them. For more information, see interfaces(5).
    
    source /etc/network/interfaces.d/*
    
    # The loopback network interface
    auto lo
    iface lo inet loopback
    
    # The primary network interface
    allow-hotplug enx001e0632c19d
    iface enx001e0632c19d inet static
    address 192.168.1.110
    netmask 255.255.255.0
    gateway 192.168.1.1
    
    - Bring up the interface

    Code: Select all

    ifup enx001e0632c19d
    - You should be able to ping 8.8.8.8 and the ip you have configured should be visible when you type ip addr

    Code: Select all

    # ip addr
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
        link/sit 0.0.0.0 brd 0.0.0.0
    3: enx001e0632c19d: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 00:1e:06:32:c1:9d brd ff:ff:ff:ff:ff:ff
        inet 192.168.1.110/24 brd 192.168.1.255 scope global enx001e0632c19d
           valid_lft forever preferred_lft forever
        inet6 fe80::21e:6ff:fe32:c19d/64 scope link
           valid_lft forever preferred_lft forever

    Code: Select all

    # ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=28.3 ms
    - If not, you missconfigured the file. Check it
  • Configure the DNS
    - Edit the file

    Code: Select all

    nano /etc/resolv.conf
    - Paste the following

    Code: Select all

    nameserver 8.8.8.8
    - Protect the file from any modification

    Code: Select all

    chattr +i /etc/resolv.conf
    - (use chattr -i /etc/resolv.conf if you want to undo this)
    - You should be able to ping google

    Code: Select all

    # ping google.com
    PING google.com (216.58.204.142) 56(84) bytes of data.
    64 bytes from par21s05-in-f14.1e100.net (216.58.204.142): icmp_seq=1 ttl=51 time=29.8 ms
Step 4 : Install the packages we will need
  • Update (we made changes to the sources.list file

    Code: Select all

    apt update
  • Install the packets

    Code: Select all

    apt install screen unzip rtorrent php7.3 php7.3-fpm nginx apache2-utils unrar mediainfo ffmpeg curl dnsutils proftpd tor net-tools tcpdump -y 
Step 5 : Create the users
  • Create the rtorrent user

    Code: Select all

    adduser --disabled-password rtorrent
  • Create the ftp user
    All the completed torrents will be stored in the directory /ftpshare/
    The user ftpuser will be used to access the to the FTP

    Code: Select all

    adduser --shell /bin/false -home /ftpshare ftpuser
    Add the password to keepass
  • Create the group ftpgroup
    Only the members of this group will be allowed to access the FTP

    Code: Select all

    addgroup ftpgroup
  • Add the user to the group

    Code: Select all

    adduser ftpuser ftpgroup
    You can create as other users as you want.
  • Change the rights

    Code: Select all

    chown rtorrent:ftpgroup /ftpshare -R
    Rtorrent has all the rights

    Code: Select all

    chmod ug+rwx /ftpshare -R
    The group can read and execute (needed for the FTP)

    Code: Select all

    chmod g-w /ftpshare -R
    The others can do nothing

    Code: Select all

    chmod o-rwx /ftpshare -R
Step 6 : Configure rtorrent
  • Edit the configuration file

    Code: Select all

    nano /home/rtorrent/.rtorrent.rc
    Paste the following

    Code: Select all

    # Vitesse de téléchargement max up/down, en KiB. "0" équivaut à aucune limite.
    download_rate = 0
    upload_rate = 10000
    
    # Nombre maximal de téléchargements simultanés
    max_downloads_global = 10
    
    # Nombre maximal de peers par torrent
    max_peers = 100
    
    # Nombre maximal de peers à upload par torrent
    max_uploads = 20
    
    # Répertoire qui contient les fichiers téléchargés.
    directory = /srv/seedbox/downloads
    
    # Répertoire où rTorrent stocke l'état de téléchargement des torrents.
    session = /srv/seedbox/.session
    
    # Ports utilisables par rTorrent. 2x la même valeur = 1 port
    port_range = 49999-49999
    port_random = no
    
    # Vérification des données à la fin du téléchargement
    check_hash = yes
    
    # Activation de DHT pour les torrents sans trackers.
    # À désactiver si vous utilisez des trackers privés
    dht = disable
    #dht_port = 6881
    #peer_exchange = yes
    
    # On préfère les échanges avec chiffrement
    encryption = allow_incoming,try_outgoing,enable_retry
    
    # On autorise les trackers UDP
    #use_udp_trackers = yes
    
    # Port SCGI, on en a besoin pour communiquer avec ruTorrent
    scgi_port = 127.0.0.1:5000
    
    
    method.insert = d.get_finished_dir, simple, "cat=/ftpshare/,$d.custom1="
    method.insert = d.data_path, simple, "if=(d.is_multi_file), (cat,(d.directory),/), (cat,(d.directory),/,(d.name))"
    method.insert = d.move_to_complete, simple, "d.directory.set=$argument.1=; execute=mkdir,-p,$argument.1=; execute=mv,-u,$argument.0=,$argument.1=; d.save_full_session="
    method.set_key = event.download.finished,move_complete,"d.move_to_complete=$d.data_path=,$d.get_finished_dir="
    
    The 4 last lines are here to move the downloads when they are complete.
  • Create the directoried we need

    Code: Select all

    mkdir -p /srv/seedbox/{downloads,.session}
    Change the rights

    Code: Select all

    chown rtorrent:rtorrent -R /srv/seedbox/
  • Create a systemd service, then rtorrent can run in the background

    Code: Select all

    nano /etc/systemd/system/rtorrent.service
    Paste the following

    Code: Select all

    [Unit]
    Description=rtorrent
    After=network.target local-fs.target
    
    [Service]
    User=rtorrent
    ExecStart=/usr/bin/screen -d -m -fa -S rtorrent /usr/bin/rtorrent
    ExecStop=/usr/bin/killall -w -s 2 /usr/bin/rtorrent
    RemainAfterExit=true
    
    [Install]
    WantedBy=multi-user.target
  • Update, enable, and start the service

    Code: Select all

    systemctl daemon-reload
    systemctl enable rtorrent.service
    systemctl start rtorrent.service
  • Check if rtorrent is running

    Code: Select all

    netstat -lnptu
    You should see the line

    Code: Select all

    tcp6       0      0 127.0.0.1:5000          :::*                    LISTEN      10507/rtorrent
  • [HELP] If you don't see the port 5000 as open, log in as rtorrent, and enter the command "rtorrent", then you will know if you missconfigured the config file.
Step 7 : Configure ruTorrent
  • Install rutorrent from github and give the corrects rights

    Code: Select all

    cd /srv/
    wget https://github.com/Novik/ruTorrent/archive/v3.8.zip
    unzip v3.8.zip
    rm v3.8.zip
    mv ruTorrent-3.8/ seedbox/rutorrent
    chown www-data:www-data -R /srv/seedbox/rutorrent
    chmod 775 -R /srv/seedbox
  • Create a httpasswd authentifiation to access the rutorrent interface

    Code: Select all

    htpasswd -c /etc/nginx/auth user
    Add the password to keepass
  • Configure rutorrent php config file

    Code: Select all

    nano /srv/seedbox/rutorrent/conf/config.php
    Then find the line "$pathToExternals" in the file (ctrl + w with nano, or "/" with vim)
    And complete the lines like the following

    Code: Select all

    $pathToExternals = array(
                    "php"   => '',                  // Something like /usr/bin/php. If empty, will be found in PATH.
                    "curl"  => '/usr/bin/curl',     // Something like /usr/bin/curl. If empty, will be found in PATH.
                    "gzip"  => '/bin/gzip',         // Something like /usr/bin/gzip. If empty, will be found in PATH.
                    "id"    => '/usr/bin/id',       // Something like /usr/bin/id. If empty, will be found in PATH.
                    "stat"  => '/usr/bin/stat',     // Something like /usr/bin/stat. If empty, will be found in PATH.
            );
Step 8 : Configure nginx
  • Remove the existing default files

    Code: Select all

    rm /etc/nginx/sites-available/default
    rm /etc/nginx/sites-enabled/default
  • Create a new nginx conf file

    Code: Select all

    nano /etc/nginx/conf.d/seedbox.conf
    Paste the following

    Code: Select all

    server {
     listen 80;
     listen [::]:80;
     #server_name seedbox.ohc2.local;
     server_name 192.168.1.110;
     return 301 https://$server_name$request_uri;
     access_log /var/log/nginx/rutorrent-access.log;
     error_log /var/log/nginx/rutorrent-error.log;
    }
     server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
     #server_name seedbox.ohc2.local;
     server_name 192.168.1.110;
     root /srv/seedbox/rutorrent/;
     index index.html;
    
     access_log /var/log/nginx/rutorrent-access.log;
     error_log /var/log/nginx/rutorrent-error.log;
    
     auth_basic "Authentification requise";
     auth_basic_user_file /etc/nginx/auth;
    
     ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
     ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
     #ssl_trusted_certificate /etc/letsencrypt/live/seedbox.hadopi.frchain.pem;
    
     ssl_protocols TLSv1.2;
     ssl_ecdh_curve X25519:P-521:P-384:P-256;
     ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;
     ssl_prefer_server_ciphers on;
     #ssl_stapling on;
     ssl_stapling_verify on;
     resolver 80.67.169.12 80.67.169.40 valid=300s;
     resolver_timeout 5s;
     ssl_session_cache shared:SSL:10m;
    
     location ~* \.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|x-html|html|css|xml|js|woff|woff2|ttf|svg|eot)$ {
      expires 30d;
      access_log off;
      log_not_found off;
     }
    
     location / {
      try_files $uri $uri/ =404;
     }
    
     location /RPC2 {
      include /etc/nginx/scgi_params;
      scgi_pass 127.0.0.1:5000;
     }
    
     location ~ \.php$ {
      try_files $uri =404;
      fastcgi_pass unix:/run/php/php7.3-fpm.sock;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      include fastcgi_params;
      fastcgi_intercept_errors on;
      fastcgi_ignore_client_abort off;
      fastcgi_connect_timeout 60;
      fastcgi_send_timeout 180;
      fastcgi_read_timeout 180;
      fastcgi_buffers 4 256k;
      fastcgi_buffer_size 128k;
      fastcgi_busy_buffers_size 256k;
      fastcgi_temp_file_write_size 256k;
     }
    }
    
  • Create the cert and key for the https

    Code: Select all

    openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
    As common Name, you can enter "ohc2.local"
  • Test the nginx configuration

    Code: Select all

    nginx -t
    Everything should be OK
  • Restart the service

    Code: Select all

    systemctl restart nginx
  • Try to access to the rutorrent interface
    - In your computer browser enter the ip address of your odroid (for me, it's "192.168.1.110")
    - The HTTPS redirection should work
    - You should have no errors in the rutorrent interface and just see this

    Code: Select all

    [01.10.2019 22:49:53] WebUI started.
    - I use Opera GX and everything is working fine, but in firefox, I also get this message even if I do ctrl + f5, so try different browsers

    Code: Select all

    [01.10.2019 22:52:54] Bad response from server: (0 [error,getplugins]) 
Step 8 : Test to download one torrent
  • Connect on the rutorrent interface
  • Download a small legal torrent
  • Add it on rutorrent
  • Check if it's downloading
  • Check if the torrent files are moved to /ftpshare when the download is completed
Step 9 : Set up the FTP
  • Edit the configuration file

    Code: Select all

    nano /etc/proftpd/conf.d/ftp_serv.conf
    Paste the following

    Code: Select all

    UseIPv6 off
    <Global>
        RootLogin   off
        RequireValidShell off
    </Global>
    
    DefaultRoot  ~
    
    <Limit LOGIN>
        DenyGroup !ftpgroup
    </Limit>
    
  • Restart the service

    Code: Select all

    systemctl restart proftpd
    Now you should be able to access the FTP and see the completed torrents
Step 9 : Redirect the rtorrent trafic through Tor
  • Configure Tor

    Code: Select all

    nano /etc/tor/torrc
    Paste the following

    Code: Select all

    #Virtual Tor address (see man page)
    VirtualAddrNetworkIPv4 10.192.0.0/10
    #To resolve domains through Tor
    AutomapHostsOnResolve 1
    #Traffic port
    TransPort 192.168.1.110:9040
    #DNS port
    DNSPort 192.168.1.110:5353
    
Step 10 : Redirect the rtorrent trafic through Tor
With iptables (not working with this kernel)
  • Create the script with the iptables commandes

    Code: Select all

    nano /usr/local/bin/iptables_redirect.sh
    The following lines should be enough

    Code: Select all

    #!/bin/sh
    # Vars
    _trans_port="9040"
    _dns_port="5353"
    _rtorrent_uid=`id -u rtorrent`
    #_tor_uid=`id -u debian-tor`
    #_resv_iana="0.0.0.0/8 100.64.0.0/10 169.254.0.0/16 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 255.255.255.255/32"
    #_non_tor="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
    _out_if="wlan0"
    _gateway="192.168.1.1"
    _local_network="192.168.1.0/24"
    
    # Remove all the iptables rules
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    
    # Set up the policies
    iptables -P INPUT ACCEPT
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    ip6tables -P INPUT DROP
    ip6tables -P FORWARD DROP
    ip6tables -P OUTPUT DROP
    
    # Redirect trafic through Tor
    iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner $_rtorrent_uid -m tcp -j REDIRECT --to-ports $_trans_port
    # redirect DNS requests through Tor
    iptables -t nat -A OUTPUT -p udp -m owner --uid-owner $_rtorrent_uid -m udp --dport 53 -j REDIRECT --to-ports $_dns_port
    # Drop the rest
    iptables -A OUTPUT -p tcp -m owner --uid-owner $_rtorrent_uid -j LOG --log-prefix "[rtorrent tcp drop] " --log-level 7 --log-uid
    iptables -A OUTPUT -m owner --uid-owner $_rtorrent_uid -j DROP 
    
    
    But here are all my private iptables rules

    Code: Select all

    #!/bin/sh
    # Vars
    _trans_port="9040"
    _dns_port="5353"
    _rtorrent_uid=`id -u rtorrent`
    #_tor_uid=`id -u debian-tor`
    #_resv_iana="0.0.0.0/8 100.64.0.0/10 169.254.0.0/16 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 255.255.255.255/32"
    #_non_tor="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
    _out_if="wlan0"
    _gateway="192.168.1.1"
    _local_network="192.168.1.0/24"
    
    modprobe ip_conntrack_ftp
    
    # Remove all the iptables rules
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    
    # Set up the policies
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    ip6tables -P INPUT DROP
    ip6tables -P FORWARD DROP
    ip6tables -P OUTPUT DROP
    
    # Redirect trafic through Tor
    iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner $_rtorrent_uid -m tcp -j REDIRECT --to-ports $_trans_port
    # redirect DNS requests through Tor
    iptables -t nat -A OUTPUT -p udp -m owner --uid-owner $_rtorrent_uid -m udp --dport 53 -j REDIRECT --to-ports $_dns_port
    # Allow lo
    iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Drop the rest
    iptables -A OUTPUT -p tcp -m owner --uid-owner $_rtorrent_uid -j LOG --log-prefix "[rtorrent tcp drop] " --log-level 7 --log-uid
    iptables -A OUTPUT -m owner --uid-owner $_rtorrent_uid -j DROP 
    
    # Allow trafic to the gw
    iptables -A INPUT -s $_gateway -j ACCEPT
    
    # Allow DHCP requests
    iptables -A INPUT -i $_out_if -p udp --dport 67:68 --sport 67:68 -j ACCEPT
    iptables -A OUTPUT -o $_out_if -p udp --dport 67:68 --sport 67:68 -j ACCEPT
    
    # Allow SSH and Rutorrent
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
    
    
    # Allow FTP
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
    iptables -A INPUT -p tcp --tcp-flags ALL SYN -s $_local_network -j ACCEPT
    
    # Allow established connections
    iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
    
    # Drop anything else
    iptables -A INPUT -j LOG --log-prefix "[drop input pckts ] " --log-level 7 --log-uid
    iptables -A INPUT -j DROP 
    
  • Make it executable

    Code: Select all

    chmod u+x /usr/local/bin/iptables_redirect.sh
  • Create the systemd service

    Code: Select all

    nano /etc/systemd/system/iptables_redirect.service
    Paste the following

    Code: Select all

    [Unit]
    Description=Iptables redirection to Tor
    After=network.target local-fs.target
    
    [Service]
    RemainAfterExit=true
    ExecStart=/usr/local/bin/iptables_redirect.sh
    
    [Install]
    WantedBy=multi-user.target
    
  • Reload, enable, and start the service

    Code: Select all

    systemctl daemon-reload
    systemctl enable iptables_redirect.service
    systemctl start iptables_redirect.service
  • Check the iptables rules

    Code: Select all

    iptables -t nat -L -n -v
With NFTables





[IM WORKING ON IT]
iptables and nftables are not yet supported by this kernel. See this thread : viewtopic.php?f=99&t=36506&p=269652#p269652

Bugs / problems
  • The torrents are not starting / downloading
    - Check if you can ping 8.8.8.8
    - Check if you can ping google.com
    - If not, try to ifdown and ifup the interface
    - Check if rtorrent is running with a netstat
Legal torrents websites Thanks to
@tobetter for the Debian image
These users thanked the author artoxxx for the post (total 2):
odroid (Wed Oct 02, 2019 8:58 am) • mad_ady (Thu Oct 03, 2019 12:15 am)

User avatar
mad_ady
Posts: 6679
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1, H2, N2
Location: Bucharest, Romania
Has thanked: 194 times
Been thanked: 148 times
Contact:

Re: [TUTORIAL] Creating a RuTorrent interface with redirection through Tor and FTP access

Unread post by mad_ady » Thu Oct 03, 2019 12:19 am

Great write-up. Though using an immutable /etc/resolv.conf is not a best practice, because you will forget it's immutable and waste a lot of time troubleshooting dns issues.

Otherwise using iptables to direct traffic to a different destination based on user is a nice touch. Other alternatives would be using docker or network namespaces or separate routing tables to control your traffic

artoxxx
Posts: 14
Joined: Sat Sep 28, 2019 4:24 am
languages_spoken: english
ODROIDs: HC2
Has thanked: 0
Been thanked: 2 times
Contact:

Re: [TUTORIAL] Creating a RuTorrent interface with redirection through Tor and FTP access

Unread post by artoxxx » Thu Oct 03, 2019 1:02 am

mad_ady wrote:
Thu Oct 03, 2019 12:19 am
Great write-up. Though using an immutable /etc/resolv.conf is not a best practice, because you will forget it's immutable and waste a lot of time troubleshooting dns issues.
Thanks for your comment !

You are right ! I did that because the content of resolv.conf was removed sometimes for no reason
mad_ady wrote:
Thu Oct 03, 2019 12:19 am
Otherwise using iptables to direct traffic to a different destination based on user is a nice touch. Other alternatives would be using docker or network namespaces or separate routing tables to control your traffic


I don't know docker and network namespaces :(

Another secure way to redirect the torrents trafic to Tor would be :

Code: Select all

- allow users of a specific group to reach the normal internet
- redirect everything else to Tor
Then you are sure everyting is going to Tor.
Or maybe run rtorrent in a linux container... I should try that

Don't hesitate to ask if you have questions, or give your opinion on something else in the tutorial

User avatar
mad_ady
Posts: 6679
Joined: Wed Jul 15, 2015 5:00 pm
languages_spoken: english
ODROIDs: XU4, C1+, C2, N1, H2, N2
Location: Bucharest, Romania
Has thanked: 194 times
Been thanked: 148 times
Contact:

Re: [TUTORIAL] Creating a RuTorrent interface with redirection through Tor and FTP access

Unread post by mad_ady » Thu Oct 03, 2019 1:05 am

If you're familiar with linux containers, then docker is an easy step to learn...

Post Reply

Return to “Projects”

Who is online

Users browsing this forum: No registered users and 4 guests