if I set up a router w/ 192.168.1.0/24, connect 2 other routers to it using, say, 192.168.2.0/24 and 192.168.3.0/24 and put a box accessable to the internet on the 2 and someone got access on it would they be able to see anything on the 3 portion of the network w/o rooting the 1 router?

I'm a little rusty right now aksnowman but I don't think it should. I mean each hop constitutes a completely different network. I could be wrong... I'm sure its possible in some way, but since youre using private IP's I think that even if they had access to (2) then sniffing would only show up the (3) router... Like I said, its been awhile... I might have it completely wrong.

that's entirely dependand on wether your router 1 forwards packets between these networks or not.

Nope, they are on a different subnet so they will not get the traffic for the other subnets.

it shouldnt forward packets to the other network if its not destined to the other network... and unless they are in constant communication it would take a lot of packet sniffing to pick up anything from it anyways. What I was wondering is if some protocol like CDP was ran if it would provide anything other than the router. Im not thinking it should.

thanks everyone :)

router can partion network,so the other routers can not access for echer.except you do somethings.i from china,my english is bad,sorry

I would say that it would be mostly secure but without a actual firewall instead of a router that only secures you via NAT (network address translation aka subnetting) your still subjected to the possibility of trivial protocol exploitation. Although regular NAT usually secures you fairly well from relative WAN/LAN's it doesn't do anything to protect you from specific types of techniques that could in turn end up in a root compromise on the router or computer giving circumstances permit, an example being broadcast UDP/ICMP/UPnP not being filtered which has a history of being exploitable to escalate privileges. Say NAT redirection is enabled there isn't much of a separation of security at all. There are other various tricks to circumvent regular NAT routing protection, especially from a local perspective such as packet forging/injection with tools like hping3 that can in some cases hijack sessions, misinform/deceive protocols or for network reconnaissance analyzing things like timestamps/timesignatures. This can be used for DNS hijacking/recon attempts and OS detection. So depending on exactly what all services your running and how secure your computer is in relation to its role (all protocols have their advantages/disadvantages in security) the answer to whether it is possible to root a box apart routing networks is that it is very possible, often done but in whole if your setup is stable its fine.

Although regular NAT rule ensures you quite well from relatively WAN / LAN so it does nothing to protect you from certain types of techniques that could again end in a root compromise on the router or computer providing circumstances permit, Veritas VCS-275 VCE an example is broadcast UDP / ICMP / UPnP is not filtered, that has a history of being exploitable to escalate privileges. Say NAT redirection is enabled, there is not much of a separation of security at all.