Help identifying Transmission traffic on local network...

[NoMoreNicksLeft]

I'm trying to route Transmission network through a second interface on my router with iptables, and I've been digging around with tcpdump trying to understand just what sorts of packets it will send.

I've noticed something curious (at least to me, I'm not an expert on bt protocol): the peer listening port in preferences is used as the source port for all outgoing requests. If Transmission sends a request off to a tracker on tcp 80, it uses that as the source port. If it's sending some chunk of data to a peer on 6881, again, the peer listening port is used as the source port.

This seems to make it an ideal candidate to identify all Transmission-related traffic (otherwise, I'd have trouble telling a tracker request from some other http get request).

I managed to fumble my way through to an iptables/routing configuration that seems to send 98% of the traffic through the interface I want. However, the remaining two percent is puzzling.

If I tcpdump the regular wan interface, I can still see the occasional incoming packet addressed to the peer listening port. Because of the routing setup I have, those packets never get replies (at least on the wan interface, though maybe Transmission is replying and those get sent through the other).

So how do these peers even know what my wan's IP address is? I see tracker requests go through the second interface, and I have NAT working correctly. I thought at first these may just be old connections... but I've waited 12 hours at this point, and some are still coming in. Is there something I don't understand about bt itself? Some side channel on another port? The iptables rules seem rather straightforward... I NAT anything that is udp or tcp with that source port.

[NoMoreNicksLeft]

I really think I am leaking my IP to trackers somehow. Haven't figured it out yet. When I switch from 51413 to something else, the leaks switch to the new port within a minute or two... those aren't old connections.

But I can't quite figure out how.

What I really need is a set of ports with which to identify bt packets. Whether it's the source port, destination, even a range... just haven't figured it out quite yet.

[NoMoreNicksLeft]

Ok. I've got a reasonably fast torrent downloading...

And if I look for ports 6881-6890 on my public interface... nada. Not a single packet. However, plenty of them on the VPN interface (and they'll always have 51413 as the other port).

If I look for port 51413 on the public interface, there are still a few packets showing up. Not alot. Less than 10 per minute (often only one or two). And port for the remote end is always some high port. These packets are always incoming (the routing rules would send any replies from my end out the VPN interface).

I've gotta be leaking my IP address. Am I leaking it to trackers? Am I leaking it directly to peers?

[NoMoreNicksLeft]

If I run "tcpdump -i tun1 (host tracker1 or host tracker2 or host tracker)" and "tcpdump -i vlan2 (host tracker1 or host tracker2 or host tracker)" and then do a update trackers...

vlan2 shows absolutely no traffic.

tun1 (the VPN) shows traffic. It shows traffic for the ones doing http on 80, it shows traffic for those doing udp, for those on the weird ports. It looks like this is happening because the source port is 51413 which I'm marking.

Likely trackers, as that is where peers get it. Unless you somehow bind Transmission to an interface or at least a BindAddressIPv4 à la #2313, how can you guaranty what interface gets used?

Transmission runs on an iMac using a local 192.168.1.x address (wireless). It's the only interface it has. The router is a Buffalo 450N running some version of DD-WRT which has openvpn support. So it's not a weird binding, I can rule that out.

Right now, I'm doing this with a torrent going full blast (I changed the listening port):

Code: Select all

tcpdump -i vlan2 "port 54888 or portrange 6881-6890"

I'm not getting a single packet on the wan now. I'm wondering if I did have the right configuration after all, and the odd packet to 51413 was just someone who had my real IP from hours/days ago. How long will they cache peers in that way? Anyway, I'll leave it up running all night, and see if there are any still coming in.

Transmission is still complaining that the listening port's closed, but that's just a matter of doing a port forwarding... I'll worry about that later.

[NoMoreNicksLeft]

Aha! I finally got it.

Started a new torrent with tcpdump running... got this:

01:25:49.083490 IP my-big-long-hostname.net.60431 > swedish-chef.bork.bork.bork.bredbandsbolaget.se.6881:

Definitely bt traffic, but it's not using my new listening port as the source.

Here's what I think happens. I connect to the tracker, get a list of peers (I admit I'm not very clear on the protocol's finer details) and then I connect to them. My routing doesn't force this through the VPN, but the protocol doesn't care either... the peer is already listening for anyone to connect. And once I've connected, they know my public IP. They'll continue to use it indefinitely.

So, in addition to my two iptables rules that mark packets that use the listening port, I should be able to fix this by marking all packets that use 6881-6889 (or is it 6890?). That would have forced that initial connection to use the tunnel as well. I'm getting closer to having this work.

[NoMoreNicksLeft]

I'm not fixated on it. No one rule is going to catch all of the packets that I want to forward.

The listening port catches some. The range catches a few more. I'm moving a very large fraction of the traffic through the correct interface. I have a leak. Trying to figure out where the leak is coming from.

I don't understand the protocol very well though. The leak has to come early, because if I connect through the VPN, then that's the IP address the trackers will see, the ones they'll use (and tell peers, if I understand everything correctly).

Telling me that other ports are used just isn't helpful... that was always a given. If you know *when* they are used, that might be helpful.

There are no iptables modules for matching bt. Even if there were, it's not in dd-wrt, and I'd have no luck in building the cross-compiler for the environment.

Even if other peers are using some arbitrary port, that's the destination port, and it looks an awful lot like Transmission tends to use its own listening port as the source port in such connections. So I've got that going for me at least.