Can IPTABLES be used as a routing table?

[armshount]

I have a boss that insists on being a pain in my bottom. He says to me that Hardware firewalls are better, I dont disagree with him, he is right to some extent. I showed him IPTABLES and he said "wouldnt you need to create a routing table like route add blah blah blah. I said no because IPTABLES is the one routing the packets if its configured as a router. I said to him that ROUTING TABLES are redunant because IPTABLES does it all for you. He told me I was wrong. He said its just a firewall. Who is right??

Can someone shed some light on this. He confused me and need some clarification.

If I was to clear my routing table under linux like route blah blah blah, would IPTABLES be able to take over the routing decisions and route all the packets itself?

If Iptables can be used as a router, it must have the ability to do what I am talking about. It is a layer 3 program..

By the way. LINUX PROGRAMS ARE --F'n AWESOME!!!

[markcole]

You can certainly set rules in iptables to make it work like a router. iptables will only do what you tell it to do though. It doesn't do anything "for you" without your intervention.

[Kloschüssel]

Be happy, I believe you're both right.

* route is built into the kernel and routes packets there; usually one doesn't intervene there cause the routing tables are updated automatically by the if up/down scripts and thus depending on which interface comes up (i.e. bringing up a ppp connection would make sure that all proper routes are set so that packets destined to that subnet are routed through there)

* iptables CAN route packets and lives aside of route but (at least i believe it) has to obey what route says; if you tell iptables to route packets from one interface to the other it may work but only if route is configured to not route them elsewhere

Anyway it is common practice to configure routes with route as it tends to be complicated and not dynamic enough when configured with iptables.

EDIT, just read it up:

There is for all purposes just one routing table which the kernel maintains
and you manipulate that using the route command (generally). There is
also the ip command available. But both act on the same routing table.

route manipulates the internal routing table and iptables lives around it and by having pre- and postrouting it is more powerful and can override what route says.

Sometimes it is better to refresh stuff you've obviously forgotten.

[Lazydog]

IPTABLES does not route any packets. The Kernel does all the routing. IPATBLES can manipulate the packets before they are routed but it doesn't do any routing. IPTABLES job is to determine what is allowed to pass nothing more. Your Boss is right.

[rafatmb]

Yeah man, your boss is right. But, who cares?

Iptables is a userland software that is used to interact with the netfilter framework, that is a kernel part and to real magic.

The netfilter framework doesn't route packets:
on table filter=block/accept/redirect packets
on table mangle=change packet headers, basicaly
on table nat = do nat things (that means to change the packet headers and some other things).

Then, netfilter is not used to route packets, the kernel uses other things to do that.
But the point is: who cares? The kernel route table and netfilter works together. On a hardware firewall there are many modules working together too, and you won't want to separated them.

We need to compare features, performance and other things. Not a userland command (as iptables) and a hardware firewall.

[armshount]

Wouldnt the Ip_forward module turn iptables into a router tho??

iptables is a static routing table. I think that route print and all that is redundancy, am i correct??

[Lazydog]

ip_forward is a kernal module not an IPTABLES module.
You don't need iptables to forward packets.