NAT with routing tables vs. iptables
Tue, 8 Jan 2002 17:45:05 -0500
I'm trying to understand the relationship between the nat capabilities of
iproute2 and netfilter --- i.e., What's the difference between:
ip route add nat EXT_IP via INT_IP
ip rule add from INT_IP nat EXT_ IP
iptables -t nat -A POSTROUTING -o EXT_IF -j SNAT --to EXT_IP
iptables -t nat -A PREROUTING -i INT_IF -j DNAT --to INT_IP
How do these interact (other than badly)?
Is this simply a matter of Alexey Kuznetsov vs. Rusty Russell?
I'm in the process of converting a NAT/firewall box from using a 2.2
kernel, and a combination of ipchains and the above type construction with
iproute, and I'm seeing some things I don't understand.
Behind the firewall is a box running ProFTPD, and for some reason there is
an enormous performance hit using iptables rather than iproute. This doesn't
seem to happen with a win2k box running IIS. What could be going on here?
Thanks a million to anyone with any thoughts about this.