Rtorrent doesn't use port-range

[Andrey]

Rtorrent can connect to trackers , but doesn't view pirs. When I stop iptables, rtorrent rtorrent works normally. How to make that rtorrent used port_range?

.rtorrent.rc

port_range = 2929-2929
port_random = no

Iptables rules

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
[0:0] -A INPUT -p tcp -m tcp --dport 2929 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT

netstat -tnp

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.0.11:50985      90.190.163.216:113      ESTABLISHED 18218/rtorrent
tcp        0      0 192.168.0.11:40303      91.124.79.115:37892     ESTABLISHED 18218/rtorrent
tcp        0      0 192.168.0.11:56303      85.141.144.169:29954    ESTABLISHED 18218/rtorrent

[anonymous]

The port_range only applies to the listen port, i.e. to incoming connections. For outgoing connections, the OS picks a random port.

Your IP suggests that you are behind a NAT router, make sure to forward the port properly at the router. Either way, this looks like a network configuration problem, not an rtorrent problem.

[anonymous]

To check if port_range works or not, do netstat -lnp, you should see rtorrent listening on the right port (26881 in this case):

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:26881           0.0.0.0:*               LISTEN     15484/rtorrent      

If you wish to capture outgoing connections in iptables somehow, use the "tos" setting in rtorrent to mark the packets and filter/act accordingly.

[rakshasa]

Not a bug.

[anonymous]

I can change TOS, but incoming packages doesn't keep TOS. It isn't a solve.

[Andrey]

I need a rule which allowed to pass to input packages through iptables.

[anonymous]

For incoming connections, the local dest port will be 2929. For outgoing connections, the port is indeterminate but you can use TOS to match packets.

For both incoming and outgoing, allow follow-up packets with state RELATED,ESTABLISHED (both in the INPUT and OUTPUT tables). You only have that in the OUTPUT table now, which won't work because you're blocking incoming packets for outgoing connections.

[anonymous]

Unless I'm severely mistaken, "-p tcp -m tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT" is equivalent to "-p tcp -j ACCEPT" - all packets which aren't NEW should be ESTABLISHED.

[ShluhimoskvyGU]

Hello!  http://forums.dealseekingmom.com/members/prostitutkim.html shluhi moskvy now.

[anonymous]

add new user rtorrent
iptables -A OUTPUT -p tcp -m owner --uid-owner rtorrent -j ACCEPT
and
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -j ACCEPT ! --syn

[nemozny@gmail.com]

Well, I've tried "TOS = 0x6A" in .rtorrent.rc, wrote input filter to allow "--sport 1024:65535 --dport 1024:65535 -m tos --tos 0x6A -state --state NEW" (of course including input rule to allow internet to this host listening ports) and turned on Wireshark. There is no TOS in Wireshark and even this config ain't working. Then I've noticed, that there is 0x1a DSCP item somewhat related to 0x6a. Wikipedia says, that DSCP superseeds TOS. Somewhere else I've read, that DSCP is only the first portion of TOS, so 0x1a vs 0x6a could be it. Didn't make further research. So let .torrent.rc be and changed firewall rule to "-m dscp --dscp 0x1A" and now is bittorrent traffic going through! Hope this helps.

[anonymous]

Replying to anonymous:

I can change TOS, but incoming packages doesn't keep TOS. It isn't a solve.

Replying to Andrey:

I need a rule which allowed to pass to input packages through iptables.

Well guys, there is NO way to force your peer to mark packets for you. I'm doing the TOS thing ("TOS = 0x6A" in .rtorrent.rc) and it's completely sufficient, because you can let the outgoing packet go knowing it's rtorrent (-A INPUT -m tos --tos 0x6A -m state --state NEW -j ACCEPT) and let incoming packet through firewall because it's related to the connection (-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT).