iptables vs. hardware firewall
Other than (possible) performance issues, one thing to keep in mind is that if your firewall is not on the same server as the one it's protecting, if somehow someone does get access to the webserver, they still can't muck with the firewall, meaning they couldn't change your outgoing rules, etc.
A separate firewall could also be set up to not have any way to access it via the network, which again, increases its defenses from being tampered with.
Keep in mind, this is also true of a software firewall that's a separate box, it doesn't have to be a hardware one.