Find the answer to your Linux question:
Results 1 to 7 of 7
I have a boss that insists on being a pain in my bottom. He says to me that Hardware firewalls are better, I dont disagree with him, he is right ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2011
    Posts
    6

    Can IPTABLES be used as a routing table?


    I have a boss that insists on being a pain in my bottom. He says to me that Hardware firewalls are better, I dont disagree with him, he is right to some extent. I showed him IPTABLES and he said "wouldnt you need to create a routing table like route add blah blah blah. I said no because IPTABLES is the one routing the packets if its configured as a router. I said to him that ROUTING TABLES are redunant because IPTABLES does it all for you. He told me I was wrong. He said its just a firewall. Who is right??

    Can someone shed some light on this. He confused me and need some clarification.

    If I was to clear my routing table under linux like route blah blah blah, would IPTABLES be able to take over the routing decisions and route all the packets itself?

    If Iptables can be used as a router, it must have the ability to do what I am talking about. It is a layer 3 program..

    By the way. LINUX PROGRAMS ARE --F'n AWESOME!!!

  2. #2
    Linux Newbie
    Join Date
    Apr 2007
    Posts
    119
    You can certainly set rules in iptables to make it work like a router. iptables will only do what you tell it to do though. It doesn't do anything "for you" without your intervention.

  3. #3
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    Be happy, I believe you're both right.

    * route is built into the kernel and routes packets there; usually one doesn't intervene there cause the routing tables are updated automatically by the if up/down scripts and thus depending on which interface comes up (i.e. bringing up a ppp connection would make sure that all proper routes are set so that packets destined to that subnet are routed through there)

    * iptables CAN route packets and lives aside of route but (at least i believe it) has to obey what route says; if you tell iptables to route packets from one interface to the other it may work but only if route is configured to not route them elsewhere

    Anyway it is common practice to configure routes with route as it tends to be complicated and not dynamic enough when configured with iptables.

    EDIT, just read it up:

    There is for all purposes just one routing table which the kernel maintains
    and you manipulate that using the route command (generally). There is
    also the ip command available. But both act on the same routing table.
    route manipulates the internal routing table and iptables lives around it and by having pre- and postrouting it is more powerful and can override what route says.

    Sometimes it is better to refresh stuff you've obviously forgotten.
    Last edited by Kloschüssel; 02-03-2011 at 11:57 AM.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    IPTABLES does not route any packets. The Kernel does all the routing. IPATBLES can manipulate the packets before they are routed but it doesn't do any routing. IPTABLES job is to determine what is allowed to pass nothing more. Your Boss is right.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #5
    Just Joined! rafatmb's Avatar
    Join Date
    Feb 2011
    Location
    Brazil
    Posts
    25

    iptables

    Yeah man, your boss is right. But, who cares?

    Iptables is a userland software that is used to interact with the netfilter framework, that is a kernel part and to real magic.

    The netfilter framework doesn't route packets:
    on table filter=block/accept/redirect packets
    on table mangle=change packet headers, basicaly
    on table nat = do nat things (that means to change the packet headers and some other things).

    Then, netfilter is not used to route packets, the kernel uses other things to do that.
    But the point is: who cares? The kernel route table and netfilter works together. On a hardware firewall there are many modules working together too, and you won't want to separated them.

    We need to compare features, performance and other things. Not a userland command (as iptables) and a hardware firewall.

  7. #6
    Just Joined!
    Join Date
    Feb 2011
    Posts
    6

    IP_forward module

    Wouldnt the Ip_forward module turn iptables into a router tho??

    iptables is a static routing table. I think that route print and all that is redundancy, am i correct??

  8. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    ip_forward is a kernal module not an IPTABLES module.
    You don't need iptables to forward packets.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •