I use a Linux VM to run Deluge and handle my torrents. ShowRSS generates RSS feeds of content I want to download, and FlexGet feeds those downloads into Deluge. The VM runs Ubuntu server and I interact with it using the Deluge web interface. It’s pretty well automated and does what I want it to do.

But what about security and privacy?

In order to protect my privacy from my ISP and others, I use a VPN. As mentioned above, I’m running Deluge on a small headless VM. The VM is dedicated to the task of running Deluge, it doesn’t serve any other purpose.

By default, OpenVPN would already send all internet-bound traffic from the VM over the VPN. I have monitoring that restarts OpenVPN if it goes down and it alerts me to any problems, but that’s not good enough. If the VPN goes down, Deluge would normally just send traffic over the open internet without using the VPN until I fix the VPN.

IPtables to the rescue

If OpenVPN goes down, I would prefer that Deluge can’t send any traffic at all. Iptables lets me do this by forcing all internet-bound traffic for a given user (the deluge user) over the VPN interface. If that interface is down, the traffic will simply not go anywhere.

Okay, enough talk. Here’s the code (deluge runs as the username ‘deluge’ ).

-P OUTPUT ACCEPT
-A OUTPUT -d 192.168.0.0/16 -j ACCEPT
-A OUTPUT -d 127.0.0.0/8 -j ACCEPT
-A OUTPUT -m owner --uid-owner deluge ! -o tun0 -j DROP

COMMIT

Outbound traffic from the VPN going to my local network is allowed. Any other outbound traffic generated by the deluge user, if it’s not going over the tunnel interface, is dropped.

I use the iptables cookbook to deploy these rules using Chef, so they’re already formatted for that. If you use some other way of building your iptables rules, hopefully the above snippet should give you the right idea.