Both UFW, iptables, and nftables are command-line, (or APIs), to the same netfilter services.
Netfilter, the part of the Kernal that handles network
Netfilter, which is part of the kernel, can be accessed via hooks which point to new binaries that can inspect the packet. An explaination is available on infosecwriteups. It is beyond the scope of this article to go into precedence and compatiblity of "YourTables" application.
Since it can not be accessed from bash or the terminal UFW, iptables, and nftables exist.
UFW and iptables, or UFW and nftables
There is no performance hit for using both of them; Most Linux distributions already have iptables installed as part of the distribution. And advise that UFW can be installed alongside iptables. Ubuntu Forums UFW talks to iptables or nftables.
nftables vs iptables or nftables and iptables
Fedora and others ship with nftables which has more options. RHEL has two varients for both iptables and/or nftables. The precedence when using both iptables and nftables is if iptables has a rule that matches the request its rule will be implemented first. The precedence when two rules match in iptables the first rule will be implemented.
For ufw there isn't a situation where rules may disagree -- as ufw stands for uncomplicated firewall, and a new ufw command replaces the old one. As ufw is uncomplicate it begs the question of how complicated is iptables or how complicated can it get.
To block the IP address of 10.10.10.10 the commands can be used.
iptables -A INPUT -j DROP -s 10.10.10.10
ufw deny from 10.10.10.10 to any
How advanced is iptables?
A NAT would be something fairly complicated. The system would need to receive a network packet, add to that packet and send it out to the internet then when a packet is received for that connection forward it to the system behind the NAT firewall, which requested it. Yes, iptable can operate as a NAT router.
1> Configure the firewall to do NAT:
# If the public address (192.0.2.42) is static, use this command
iptables -t nat -A POSTROUTING -s 10.13.37.0/24 -o eth0 -j SNAT --to-source 192.0.2.42
Or> if the (WAN) internet IP is not a fixed IP address for the local (LAN)
# Otherwise if the public address is dynamic, use this command
iptables -t nat -A POSTROUTING -s 10.13.37.0/24 -o eth0 -j MASQUERADE
2> Configure the firewall to allow packet forwarding:
iptables -A FORWARD -s 10.13.37.0/24 -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -d 10.13.37.0/24 -i eth0 -o eth1 -j ACCEPT
3> Enable packet forwarding via sysctl (sysctl -w writes to /proc/sys/...):
sysctl -w net.ipv4.conf.eth0.forwarding=1
sysctl -w net.ipv4.conf.eth1.forwarding=1
# Previous entries may not exists in old kernels. In such case, use:
# sysctl -w net.ipv4.ip_forward=1
# ... which acts like: sysctl -w net.ipv4.conf.all.forwarding=1
See the article for a Persistent configuration using iptables.rules
For programs that need to set the firewall rules, IE fail2ban, using iptables, its default setting, is likely the best choice in these cases.