The reason for using a VPN instead of proxy(for torrenting), is to mask your downloads for the ISP too(encryption), but after an abundance of research, i'm pretty sure the ISPs don't do DPI for analyzing what specifically you're downloading, and so it's only the copyright-trolls we need to hide from, which a proxy does. Second reason, is still a valid one imho, and that is for if you're being shaped/throttled, which would make all that extra encryption done, actually have a real purpose instead of just a tinfoil-hat one(forcing encryption in torrent-client limits peers).
Lastly, the last reason for preferring a VPN over proxy, is that it can potentially leak your IP, which this post is about and presenting a fix for that, so no longer applies.
I've here posted a shell-script which only lets outgoing-connections go through from your proxy and only lets incoming connections go through, on your defined listen-port, from the proxy.
Still I'll much advice to anyway use ltplugin and enable force-proxy and annonymous-mode too.
There's a single thing that this script cannot do, and that is the issue of leakage of your IP through HTTP and UDP tracker-announces optional IP field, but libtorrent hasen't defined that field for a long time anyway, + you can hardcode it with ltplugin to your proxy's IP if wanted(announce_ip). Also, even though force-proxy disables ipv6, then you can also disable that with a single command: 'sysctl -w net.ipv6.conf.all.disable_ipv6=1' The net lists you need a command additionally for each of your interfaces, but I've tested this and you don't, the single command is enough, as it's name too applies
Change PROXY to one of your proxy's IP's(use this e.g. http://tejji.com/ip/url-to-ip-address.aspx) and change PORT to your defined listening-port. Also change the deluge username if needed, and note you have to run deluge under this name always for this to work, but many distro-packages by default runs deluge as deluge user e.g. arch-linux when running 'sudo systemctl start deluged.service'.
You have to run it at every boot before running deluge(I run the script and deluge from another script), unless adding it to your startup-sequence, which i'd advice, if not running it automatically from a script anyway, like me.
Code: Select all
sudo iptables -F
sudo iptables -A INPUT -p tcp -s PROXY --dport PORT -j ACCEPT
sudo iptables -A INPUT -p udp -s PROXY --dport PORT -j ACCEPT
sudo iptables -A INPUT -p udp --dport PORT -j DROP
sudo iptables -A INPUT -p tcp --dport PORT -j DROP
sudo iptables -A OUTPUT -p tcp -m owner --uid-owner deluge -d PROXY -j ACCEPT
sudo iptables -A OUTPUT -p udp -m owner --uid-owner deluge -d PROXY -j ACCEPT
sudo iptables -A OUTPUT -p udp -m owner --uid-owner deluge -d 192.168.0.0/24 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m owner --uid-owner deluge -d 192.168.0.0/24 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m owner --uid-owner deluge -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -m owner --uid-owner deluge -j DROP
Note, the line for the LANs is because deluge tries to connect to those, I don't know why, and you can remove the line if wanted, but i'm guessing it tries 192.168.0.1 for DNS, or else it's LSD or something.
You can check if anything was blocked, by running:
Code: Select all
sudo iptables -nvx -L OUTPUT
Code: Select all
sudo iptables -nvx -L INPUT
To see what specifically was blocked(if any), then you can e..g use iptables-strace, but you need to run it first, before anything got blocked(ptables-strace start) and then if one of the two commands listed above, shows something blocked, then you can check for BLOCKED entries in your syslog or journalctl log and see src/dst IPs. Afterwards you can disable it(ptables-strace stop).