How to add comments to iptables rules in Linux?

The iptables and ip6tables commands are used to set up, maintain, and firewall rules on the Linux. You can define various tables and each table contains a number of built-in chains. We can also add comments to iptables.

How to add comments to iptables rules on Linux

The syntax is as follows:

iptables -m comment --comment "comment here"
iptables -A INPUT -i eth1 -m comment --comment "my LAN - " -j DROP


You are allowed to add up to 256 characters to comments on any rule. 

How to add comments to iptables rules on Linux

The syntax is as follows:

iptables -m comment --comment "comment here"
iptables -A INPUT -i eth1 -m comment --comment "my LAN - " -j DROP


You are allowed to add up to 256 characters to comments on any rule. 

Where are my comments displayed?

The iptables comment appears when you try to list iptables rules using the following syntax:

iptables -L
iptables -t filter -L FORWARD
iptables -t nat -L
iptables -t nat -L -n -v | more
iptables -t nat -L PREROUTING
iptables -t nat -L PREROUTING -n -v --line-number



Adding comments to iptables rules

Let us drop or block an IP address of spammer using iptables and add a comment too:

# iptables -A INPUT -s 202.54.1.1 -j DROP -m comment --comment "DROP spam IP address - "


Also, block port 80 and 443 (HTTP/HTTPS) along with the comment:

# iptables -A INPUT -p tcp --dport 80 -m comment --comment "block HTTPD access - " -j DROP
# iptables -A INPUT -p tcp --dport 443 -m comment --comment "block HTTPDS access - " -j DROP
Verify it:
# iptables -t filter -L INPUT -n

 

Create comments with iptables firewall for NAT rules

We are here directly editing iptables config file /etc/sysconfig/iptables on a CentOS and adding rules:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -d 152.160.25.21 -p tcp --dport 1:65535 -j DNAT --to-destination 142.128.102.219:1-65535 -m comment --comment "KVM has to rhel7-rootadminz VM port forwarding"
COMMIT

You must reload the firewall. Verify it:

$ sudo iptables -t nat -L -n -v

Adding comments to ufw firewall rules

UFW is an acronym for an uncomplicated firewall. It is used for managing a Linux firewall and aims to provide an easy to use interface for the user. It works on Ubuntu, Debian, Fedora, CentOS, Arch Linux and many other Linux distros. To add a comment for the ufw rule:

$ sudo ufw rule comment 'my comment here'


Open port 53 and write a comment about rule too:

$ sudo ufw allow 53 comment 'open tcp and udp port 53 for dns'

 

How to add comments to existing iptables rule

You need to use the replace syntax:

iptables -R chain rulenum rule-specification


Let us list existing rule with the following iptables command:

# iptables -t filter -L INPUT -n --line-number


Sample outputs:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* generated for LXD network lxdbr0 */
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* generated for LXD network lxdbr0 */
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67 /* generated for LXD network lxdbr0 */
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
8    DROP       all  --  202.54.1.1           0.0.0.0/0            /* DROP spam IP address */
9    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* block HTTPD access */
10   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* block HTTPDS access */
11   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25

The last rule (#11) says DROP traffic to port 25. To add a comment to this rule, run:

# iptables -R INPUT 11 -p tcp --dport 25 -j DROP -m comment --comment "Block port 25"
# iptables -t filter -L INPUT -n --line-number

 

Sample outputs:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* generated for LXD network lxdbr0 */
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* generated for LXD network lxdbr0 */
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67 /* generated for LXD network lxdbr0 */
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
8    DROP       all  --  202.54.1.1           0.0.0.0/0            /* DROP spam IP address */
9    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* block HTTPD access */
10   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* block HTTPDS access */
11   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25 /* Block port 25 */
 


Was this answer helpful? 0 Users Found This Useful (0 Votes)