iproute2 rules and iptables NAT... what is the difference?

firewall iptables iproute2

Solution 1:

While there is some overlap in the functionality between the two tools there are lots of things you can only do from only one of the tools. iproute2 cannot do anything with the netfilter firewall rules. iptables cannot do things like assign ip addresses.

Even in places where functionality seems to overlap it doesn't really overlap. For example you can do address translation with both iproute2 and iptables. But the address translation that you can do with iproute does not take any state into consideration and does absolutely no rewriting of the packet. There are several network protocols like FTP, SIP, H.323, etc where IP addresses are in included within the packet, and not just in the headers. If you use the iproute method for address translation those types of protocols will be broken. Netfilter does a far better job at address translation.

In most cases where functionality does overlap it is handled in different ways. It is possible with a module to do routing with iptables, but last time I checked that module was not on most distributions to not have netfilter/iptables patched with the ROUTE target. If that target isn't available you cannot use netfilter for routing unless you are in the mood to compile your own kernels. Your decision about which tool to use will be made simply because the feature isn't available in version of the tools you are running. Even if you have the ROUTE target, from what I understand, it isn't as efficient to use netfilter for routing decisions as it is to do routing with the standard routing tables with iproute2 manipulates.

A lot of it is also using the right tool for the right job. iproute2 is primarily designed for managing routing and addresses on your computer. iptables/Netfilter is built for firewalling.

I think that in places where a person could use either tool they will usually use the tool that they are most familiar with. I know I use the MARK target of iptables to flag some packets for one route or the other even though I could write the same rule with iproute2.

Related

How can I decrease the time spent reformatting / restoring user's workstations?
Are MySQL databases always stored in /var on CentOS?
How do I get nohup.out flushed more often?
Delete files older than X days on remote server with SCP/SFTP
What tips do you have for speeding up (performance of) a MediaWiki installation?
SQL Server 2008 default schema not being respected?
Fixing "This access control list is not in canonical form" errors from the command line
Rsync fails to backup some files, giving error 22
Using iptables to block ALL outgoing traffic from one NIC?
Why can't I ssh or ping my brand new Amazon EC2 instance?
Windows Server 2008 R2 max open files limit
Should AWS CloudFront *increase* load time for infrequently accessed files?