[NBLUG/talk] Linux as router

[troy]

On Mon, Nov 01, 2004 at 09:25:14AM -0800, Osiris Pedroso wrote:
> Good morning,
> 
> I would like to understand a bit more about iptables and wonder if any of
> you could help me.
> 
> In IPTABLES, there are three main queues of packets, namely INPUT, FORWARD
> and OUTPUT.
> 
> I believe:
> 
> *	INPUT and OUTPUT exist for both eth0 and eth1, but FORWARD is shared
> between the two.
> *	When testing packets in the INPUT queue, only the input interface
> can be tested for, the output interface won't be set.
> *	When testing packets in the OUTPUT queue, only the output interface
> can be tested for, the input interface won't be set.

The above seems exactly right to me.  I'm no whiz, however, so I could
definitely be missing some subtlety.

> *	Unless "echo 1 > /proc/sys/net/ipv4/ip_forward" is executed, packets
> will not be forwarded from one interface to the other.

Correct.

> One more related question:
> 
> *	Does TCPDUMP show only arriving packets or does it also show packets
> being emitted from the interface being watched? Maybe I am using the
> wrong tool to watched the traffic go by.

tcpdump is like the old party line phones -- you can hear everything
that goes across the wire.  The arguments to tcpdump are many and
varied, but, I think, pretty intuitive:

#all traffic to and from 192.168.1.1
tcpdump host 192.168.1.1
#all traffic to and from 192.168.1.1 but not ssh
tcpdump host 192.168.1.1 and not port 22 
#all port 80 traffic (web)
tcpdump port 80

Note that that last command won't show you both sides of the HTTP
conversation -- the request comes in on port 80, but leaves on a
different port.

Another great tool is ethereal, whose former motto was, "Sniffing the
glue that holds the Internet together"

A great feature with ethereal is "decoding tcp streams", i.e.
reassembling the packets in a given conversation and showing them to you
in human readable form.

This is a pretty good article:
http://www.linuxsecurity.com/articles/network_security_article-4528.html

-troy