9/8/2010 11:38:32 PM 
Cyber Dog Tech Title Image
Title Image
 
Blue Arrow Work
 •Debian Firewall
    Tutorial
 •Projects
 •School [RPI]
 •Writing
 •Random
 
Green Arrow Personal
 •GPG Key
    [7070384A]
 •Paranormal
    Library
 •Memberships
 •BOINC Stats
 •Folding@Home
 
Red Arrow Misc
 •Old News
 •AIM Quote
    Locker
 •Driving in NC
 •Top 12
 •Archives
 
Purple Arrow Hosted
 •Pyro's Nook
 •Agents Point
    Archives
 
Yellow Arrow Contact
 •Feedback Form
 
Jinx Hackware
 
Valid XHTML 1.0!
Valid CSS!
Green ArrowGreen Arrow Debian Firewalls -- Diagnostics with IFTop & TCPDump Green ArrowGreen Arrow
 
    One of the fun parts about building your own firewall is having the ability to use diagnostic tools to monitor your traffic. Here we'll take a quick look at two tools, IFTop and TCPDump, which are quite useful for troubleshooting.

   Linux and Unix users are probably familiar with the ubiquitous top program which monitors processes. IFTop (http://www.ex-parrot.com/~pdw/iftop/) is a network-centric take on the top program which lets you monitor network connections in and out of your machine.

   Incase you haven't noticed the running theme, all the packages we've used so far are available in Apt. To start off, let's install IFTop:

Firewall:~# apt-get install iftop

   There's no configuration necessary, just run iftop from the command line.

Firewall:~# iftop

   IFTop will display a list of connections on your console/terminal screen, showing the two machines involved in each connection, and the bandwidth for each. Commands are entered with single keys: Hit 'h' for the help screen to view available settings. When you're finished, hit 'q' to return to the command line.
 

   TCPDump (http://www.tcpdump.org) is the premiere packet sniffer of the 'nix world. An extremely powerful (and potentially complex) tool, TCPDump can monitor, capture, and decode all packets crossing a given interface. While not very fun to watch, it is indispensable when it comes to troubleshooting connections.

Firewall:~# apt-get install tcpdump

   TCPDump is generally configured from the command line at run time. There are far too many commands to cover here, so check out the manpage and online documentation. Here's a few quick examples:

   Capture all traffic involving host 192.168.1.20:

Firewall:~# tcpdump host 192.168.1.20

   Capture HTTP packets on eth0:

Firewall:~# tcpdump -i eth0 port 80 and tcp

   Capture HTTP packets on eth0, and decode packets in ASCII:

Firewall:~# tcpdump -Ai eth0 port 80 and tcp

   Capture packets on eth0 on port 80 or 8080:

Firewall:~# tcpdump -i eth0 port 80 or port 8080

   Capture UDP packets to port 53 (DNS) originating from 192.168.1.20:

Firewall:~# tcpdump dst port 53 and udp and src host 192.168.1.20

   Dump the packets to a file instead of the screen...:

Firewall:~# tcpdump -w dump.txt host 192.168.1.20

   ...then read in the packets to process later:

Firewall:~# tcpdump -r dump.txt

Proceed to Step 17 - Custom Kernels
 
Copyright © 2006 Matt LaPlante. All rights reserved.
Page created in 0.002 seconds.