The packet flow through netfilter has been a little hazy for me. Today I received enlightenment. Pablo Neira Ayuso has a paper called Towards 4th Generation Linux Firewalling Tools. On page 10 of that presentation is an excellent drawing of the iptables paths and what is performed in each path. It clearly shows PREROUTING, FORWARD, INPUT, OUTPUT, and POSTROUTING.
In the cross references on that page are a couple of good links:
While here, and on an unrelated topic, here is a Packet Shaping HOWTO.
Now if I could just find a utility that can chart who is doing what with what protocol
in real time. In isn't open source but later I did come across ObjectPlanent's Net Probe as something that could do the job.
Here are a few interesting commands to use when iptables is active:
- cat /proc/net/dev
- cat /proc/net/netstat
- cat /proc/net/ip_conntrack
- cat /proc/net/sockstat
- iptables --list -v
A paper called Netfilter Performance Testing is a good one which discusses the
testing of
netfilter and the various tools employed to do so.
The NetFilter site is at www.netfilter.org. For monitoring connections conntrack, ulogd2, and
libnetfilter_conntrack are projects to look at.
Intellos Network has a souped up Conntrack Viewer for 2.4 kernels. I wander if it will work on 2.6
kernels.
Some background
information on network accounting with netfilter and userspace utilities.