From man iptables:
raw: This table is used mainly for configuring exemptions from connection
tracking in combination with the NOTRACK target. It registers at the
netfilter hooks with higher priority and is thus called before
ip_conntrack, or any other IP tables.
It provides the following built-in chains:
- PREROUTING (for packets arriving via any network interface)
- OUTPUT (for packets generated by local processes)
Analysis:
So, the RAW table is before conntrack and it was designed with the objective to be used to set the NOTRACK mark on packets that you do not wish to track in netfilter.
The -j targets are not restricted only to NOTRACK, so yes, you con filter packets in the raw table with the benefits of less CPU/memory consumption.
Most often, servers don't need to keep track of all connections. You only need tracking if you need to filter packets in iptables based on previous established connections. On servers that only serve a simple purpose like with only port 80 (and maybe 21) open, don't require that. In those instances, you can disable connection tracking.
However, if you're trying to run a NAT router, things get slightly complicated. In order to NAT something, you need to keep track of those connections so you can deliver packets from the outside network to the internal network.
If a whole connection is set with NOTRACK, then you will not be able to track related connections either, conntrack and nat helpers will simply not work for untracked connections, nor will related ICMP errors do. You will have to open up for these manually in other words. When it comes to complex protocols such as FTP and SCTP and others, this can be very hard to manage.
Use cases:
One example would be if you have a heavily trafficked router that you want to firewall the incoming and outgoing traffic on, but not the routed traffic. Then, you could set the NOTRACK mark for ignore the forwarded traffic to save processing power.
Another example when NOTRACK can be used is if you have a highly trafficked web-server, you could then set up a rule that turns of tracking for port 80 on all the locally owned IP addresses, or the ones that are actually serving web traffic. You could then enjoy stateful tracking on all other services, except for web traffic which might save some processing power on an already overloaded system.
Example --> running-a-semi-stateless-linux-router-for-private-network
Conclusion:
There isn't a strong reason to not to use the raw table, but there is some reasons to take care when using the NOTRACK target in the raw table.
route
command output gives you routing tables. In the simplest terms, routing tables tell the system how to handle IP packets which are going to a foreign IP address. Routing tables are especially useful, if the server has more than one network interface and connected to more than one network.
iptables
command on the other hand does a totally different thing (sort of). It decides which incoming and (sometimes outgoing) packets will do so, depending on a set of rules (usually contained in /etc/sysconfig/iptables in current and well known linux distributons). I said sometimes outgoing because, this is a capability of iptables, but it is not used as often as blocking incoming packets. iptables
, for the lack of a better term, is a server based firewall implementation. For instance, lets say you have a server that contains financial information and 3 subnets, lets say for the simplicity, one for finance people, one for HR People and last one for the techies. HR and techies, have no business, logging into finance server. You can configure iptables in a such a way that, any connection request coming from HR or techie subnets gets dropped/disconnected, while the requests coming from finance subnet gets connected. This is just one scenario. iptables are capable of filtering traffic in many, many more ways than this but all iptable functionality is not the subject matter suited for this site. If you are interested, there are myriad of documents available on the interwebs.
Best Answer
mangle
is for mangling (modifying) packets, whilefilter
is intended to just filter packets.A consequence of this, is that in
LOCAL_OUT
, after traversing the tables and getting the filtering decision,mangle
may try to redo the routing decision, assuming the filtering decision is not to drop or otherwise take control of the packet, by callingip_route_me_harder
, whilefilter
just returns the filtering decision.Details at
net/ipv4/netfilter/iptable_mangle.c
andnet/ipv4/netfilter/iptable_filter.c
.