Want to see if traffic is going through a gateway device? Here are some basic network troubleshooting tips on how you can validate that traffic is flowing through a security gateway and actually getting onto the wire.
Sometimes the log says accept but maybe the traffic isn’t actually leaving the box.
How about when you need to ‘prove’ to a network admin that traffic is in fact flowing, because they all believe it is the security gateway.
Most network people accept tcpdump as being an authority. By using tcpdump on both the incoming and outgoing interfaces you can answer either of those scenarios. Login to the box with ssh in two separate windows and run a tcpdump for the same traffic on both the incoming and outgoing interface.
As an example run a tcpdump on the interface where the connection comes from (internal) with the host IP of the device attempting to make the connection. Do this same tcpdump on the interface that the connection is to leave out of (external)
For instance you would see:
SYN (from Client) – Enters Internal Interface — SYN (from Client) Exits External Interface to Server or destination.
ICMP Echo Request (From Client) – Enters Internal Interface — ICMP Echo Request (from Client) Exits External interface to Server or destination.
Whether or not you see the SYN-ACK or the ICMP Echo Reply come back the other way will be solely dependent on the server or network at that point. I used to use this quite a bit when needing to “prove” it is not the security gateway.
You will have to adjust for NAT if you are using it in this scenario however it all still applies.
How to setup the tcpdump (assuming you are ssh’d to the security gateway and in expert mode):
Session 1: Traffic entering internal interface:
tcpdump –n -i [interface name] host <IP of host> (ex… tcpdump –n –i eth0 host 10.1.1.1 ) or preferably be more specific with your source/destination (tcpdump –n –i eth0 host 10.1.1.1 and host 192.168.1.1)
Session 2: Traffic exiting external interface:
tcpdump –n -i [interface name] host <IP of host> (ex… tcpdump –n –i eth1 host 10.1.1.1 ) or preferably be more specific with your source/destination (tcpdump –n –i eth1 host 10.1.1.1 and host 192.168.1.1)
You can obviously get more and more granular with tcpdump however this is a good starting point.
Here are some examples if you want to run some generic tcpdumps or you want to filter certain things, and then put it in a pcap format.
tcpdump -nnei [interface] not port 22 and not port 18192 and not port 67 and not port 18190 and not port 137 -w /var/log/tmp/external.cap
tcpdump -nnei [interface] not port 22 and not port 18192 and not port 67 and not port 18190 and not port 137 -w /var/log/tmp/internal.cap