We have 2 different ISP connections. Our previous "IT guy" setup our firewall like so:
When /etc/rc.local
was executed on startup, it did a bunch of ip rule add
and ip route add
commands in order to route certain internal hosts to use certain ISP connections.
Then at the end of /etc/rc.local
, he executed our iptables
firewall rules that were generated by Firewall Builder
. These iptables
rules have both Policy and NAT rules setup in them.
What I don't understand, is why did he use iproute2
to specify rules and routes but also specify NAT rules for iptables
? Why didn't he just do it all in one or the other instead of using them both? Could he have got rid of the iproute2
rules and routes and just put all those same rules into the iptables
NAT settings?
While there is some overlap in the functionality between the two tools there are lots of things you can only do from only one of the tools.
iproute2
cannot do anything with the netfilter firewall rules.iptables
cannot do things like assign ip addresses.Even in places where functionality seems to overlap it doesn't really overlap. For example you can do address translation with both
iproute2
andiptables
. But the address translation that you can do with iproute does not take any state into consideration and does absolutely no rewriting of the packet. There are several network protocols like FTP, SIP, H.323, etc where IP addresses are in included within the packet, and not just in the headers. If you use the iproute method for address translation those types of protocols will be broken. Netfilter does a far better job at address translation.In most cases where functionality does overlap it is handled in different ways. It is possible with a module to do routing with
iptables
, but last time I checked that module was not on most distributions to not have netfilter/iptables
patched with the ROUTE target. If that target isn't available you cannot use netfilter for routing unless you are in the mood to compile your own kernels. Your decision about which tool to use will be made simply because the feature isn't available in version of the tools you are running. Even if you have the ROUTE target, from what I understand, it isn't as efficient to use netfilter for routing decisions as it is to do routing with the standard routing tables withiproute2
manipulates.A lot of it is also using the right tool for the right job.
iproute2
is primarily designed for managing routing and addresses on your computer.iptables
/Netfilter is built for firewalling.I think that in places where a person could use either tool they will usually use the tool that they are most familiar with. I know I use the MARK target of
iptables
to flag some packets for one route or the other even though I could write the same rule withiproute2
.