How to add comments to iptables rules on Linux

ADVERTISEMENTS



How to add comments to iptables rules on Linux

I am a new Linux sysadmin. How can I add comments to iptables rules on Linux using the iptables command?: The iptables and ip6tables commands are used to set up, maintain, and firewall rules on the Linux. You can define various tables. Each table contains a number of built-in chains moreover, may also contain user-defined chains. You can add comments to iptables. They can be instrumental in understanding firewall rules. This page shows how to add comments to iptables rules.

The syntax is as follows:

iptables -m comment --comment "comment here"

iptables -A INPUT -i eth1 -m comment --comment "my LAN - " -j DROP

You are allowed to add comments up to 256 characters to any rule. Let us see some examples.

Where are my comments displayed?

The iptables comment appears when you try to list iptables rules using the following syntax:

iptables -L

iptables -t filter -L FORWARD

iptables -t nat -L

iptables -t nat -L -n -v | more

iptables -t nat -L PREROUTING

iptables -t nat -L PREROUTING -n -v --line-number



Adding comments to iptables rules

Let us drop or block an IP address of spammer using iptables and add comment too:

# iptables -A INPUT -s 202.54.1.1 -j DROP -m comment --comment "DROP spam IP address - "

Also block port 80 and 443 (HTTP/HTTPS) along with comment:

# iptables -A INPUT -p tcp --dport 80 -m comment --comment "block HTTPD access - " -j DROP

# iptables -A INPUT -p tcp --dport 443 -m comment --comment "block HTTPDS access - " -j DROP

Verify it:

# iptables -t filter -L INPUT -n



Create comments with iptables firewall for NAT rules

Here I am directly editing iptables config file /etc/sysconfig/iptables on a CentOS and adding rules:

* nat :PREROUTING ACCEPT [ 0 : 0 ] -A PREROUTING -d 192.168.2.201 -p tcp --dport 1 : 65535 -j DNAT --to-destination 192.168.122.229: 1 - 65535 -m comment --comment "KVM hos to rhel7-nixcraft VM port forwarding" COMMIT *nat :PREROUTING ACCEPT [0:0] -A PREROUTING -d 192.168.2.201 -p tcp --dport 1:65535 -j DNAT --to-destination 192.168.122.229:1-65535 -m comment --comment "KVM hos to rhel7-nixcraft VM port forwarding" COMMIT

You must reload the firewall. Verify it:

$ sudo iptables -t nat -L -n -v

Adding comments to ufw firewall rules

UFW is an acronym for uncomplicated firewall. It is used for managing a Linux firewall and aims to provide an easy to use interface for the user. It works on Ubuntu, Debian, Fedora, CentOS, Arch Linux and many other Linux distros. To add a comment for the ufw rule:

$ sudo ufw rule comment 'my comment here'

Open port 53 and write a comment about rule too:

$ sudo ufw allow 53 comment 'open tcp and udp port 53 for dns'

Another example:

$ sudo ufw allow proto tcp from any to any port 80,443 comment 'Open web app ports'

How to add comments to existing iptables rule

You need to use the replace syntax:

iptables -R chain rulenum rule-specification

Let us list existing rule with the following iptables command:

# iptables -t filter -L INPUT -n --line-number

Sample outputs:

Chain INPUT ( policy ACCEPT ) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/ 0 0.0.0.0/ 0 tcp dpt: 53 /* generated for LXD network lxdbr0 */ 2 ACCEPT udp -- 0.0.0.0/ 0 0.0.0.0/ 0 udp dpt: 53 /* generated for LXD network lxdbr0 */ 3 ACCEPT udp -- 0.0.0.0/ 0 0.0.0.0/ 0 udp dpt: 67 /* generated for LXD network lxdbr0 */ 4 ACCEPT udp -- 0.0.0.0/ 0 0.0.0.0/ 0 udp dpt: 53 5 ACCEPT tcp -- 0.0.0.0/ 0 0.0.0.0/ 0 tcp dpt: 53 6 ACCEPT udp -- 0.0.0.0/ 0 0.0.0.0/ 0 udp dpt: 67 7 ACCEPT tcp -- 0.0.0.0/ 0 0.0.0.0/ 0 tcp dpt: 67 8 DROP all -- 202.54.1.1 0.0.0.0/ 0 /* DROP spam IP address */ 9 DROP tcp -- 0.0.0.0/ 0 0.0.0.0/ 0 tcp dpt: 80 /* block HTTPD access */ 10 DROP tcp -- 0.0.0.0/ 0 0.0.0.0/ 0 tcp dpt: 443 /* block HTTPDS access */ 11 DROP tcp -- 0.0.0.0/ 0 0.0.0.0/ 0 tcp dpt: 25 Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* generated for LXD network lxdbr0 */ 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* generated for LXD network lxdbr0 */ 3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /* generated for LXD network lxdbr0 */ 4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 8 DROP all -- 202.54.1.1 0.0.0.0/0 /* DROP spam IP address */ 9 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* block HTTPD access */ 10 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* block HTTPDS access */ 11 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25

The last rule (#11) says DROP traffic to port 25. To add comment to this rule, run:

# iptables -R INPUT 11 -p tcp --dport 25 -j DROP -m comment --comment "Block port 25"

# iptables -t filter -L INPUT -n --line-number

Sample outputs:

Chain INPUT ( policy ACCEPT ) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/ 0 0.0.0.0/ 0 tcp dpt: 53 /* generated for LXD network lxdbr0 */ 2 ACCEPT udp -- 0.0.0.0/ 0 0.0.0.0/ 0 udp dpt: 53 /* generated for LXD network lxdbr0 */ 3 ACCEPT udp -- 0.0.0.0/ 0 0.0.0.0/ 0 udp dpt: 67 /* generated for LXD network lxdbr0 */ 4 ACCEPT udp -- 0.0.0.0/ 0 0.0.0.0/ 0 udp dpt: 53 5 ACCEPT tcp -- 0.0.0.0/ 0 0.0.0.0/ 0 tcp dpt: 53 6 ACCEPT udp -- 0.0.0.0/ 0 0.0.0.0/ 0 udp dpt: 67 7 ACCEPT tcp -- 0.0.0.0/ 0 0.0.0.0/ 0 tcp dpt: 67 8 DROP all -- 202.54.1.1 0.0.0.0/ 0 /* DROP spam IP address */ 9 DROP tcp -- 0.0.0.0/ 0 0.0.0.0/ 0 tcp dpt: 80 /* block HTTPD access */ 10 DROP tcp -- 0.0.0.0/ 0 0.0.0.0/ 0 tcp dpt: 443 /* block HTTPDS access */ 11 DROP tcp -- 0.0.0.0/ 0 0.0.0.0/ 0 tcp dpt: 25 /* Block port 25 */ Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* generated for LXD network lxdbr0 */ 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* generated for LXD network lxdbr0 */ 3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /* generated for LXD network lxdbr0 */ 4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 8 DROP all -- 202.54.1.1 0.0.0.0/0 /* DROP spam IP address */ 9 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* block HTTPD access */ 10 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* block HTTPDS access */ 11 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /* Block port 25 */

Conclusion

You just added comments to iptables rules. It is beneficial for maintaining rules in the long run for sure. For more info see this page here or man pages:

$ man iptables

$ man iptables-extensions