How to add comments to iptables rules on Linux

I am a new Linux sysadmin. How can I add comments to iptables rules on Linux using the iptables command?

Introduction: The iptables and ip6tables commands are used to set up, maintain, and firewall rules on the Linux. You can define various tables. Each table contains a number of built-in chains moreover, may also contain user-defined chains. You can add comments to iptables. They can be instrumental in understanding firewall rules. This page shows how to add comments to iptables rules.
Tutorial details
Difficulty Easy (rss)
Root privileges Yes
Requirements Linux
Time 2m

How to add comments to iptables rules on Linux

WARNING: All iptables/ip6tables commands must run as root/sysadmin user. Otherwise you will see an error, Fatal: can't open lock file /run/xtables.lock: Permission denied.

The syntax is as follows:
iptables -m comment --comment "comment here"
iptables -A INPUT -i eth1 -m comment --comment "my LAN - " -j DROP
## IPv6 version ##
ip6tables -m comment --comment "comment here"
ip6tables -A INPUT -i eth1 -m comment --comment "my LAN - " -j DROP

You are allowed to add comments up to 256 characters to any rule. Let us see some examples.

Where are my comments displayed?

The iptables comment appears when you try to list iptables rules using the following syntax:
iptables -L
iptables -t filter -L FORWARD
iptables -t nat -L
iptables -t nat -L -n -v | more
iptables -t nat -L PREROUTING
iptables -t nat -L PREROUTING -n -v --line-number
# dump all rules on screen #
iptables -S


For IPv6 version, try:
ip6tables -L
ip6tables -t filter -L FORWARD
ip6tables -t nat -L
ip6tables -t nat -L -n -v | more
ip6tables -t nat -L PREROUTING
ip6tables -t nat -L PREROUTING -n -v --line-number
ip6tables -S

See how to list all iptables rules with line numbers on Linux for more info.

Adding comments to iptables rules

Let us drop or block an IP address of spammer using iptables and add comment too:
# iptables -A INPUT -s 202.54.1.1 -j DROP -m comment --comment "DROP spam IP address - "
Also block port 80 and 443 (HTTP/HTTPS) along with comment:
# iptables -A INPUT -p tcp --dport 80 -m comment --comment "block HTTPD access - " -j DROP
# iptables -A INPUT -p tcp --dport 443 -m comment --comment "block HTTPDS access - " -j DROP

Verify it:
# iptables -t filter -L INPUT -n

Click to enlarge

Create comments with iptables firewall for NAT rules

Here I am directly editing iptables config file /etc/sysconfig/iptables on a CentOS and adding rules:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -d 192.168.2.201 -p tcp --dport 1:65535 -j DNAT --to-destination 192.168.122.229:1-65535 -m comment --comment "KVM hos to rhel7-nixcraft VM port forwarding"
COMMIT

You must reload the firewall. Verify it:
$ sudo iptables -t nat -L -n -v

Adding comments to ufw firewall rules

UFW is an acronym for uncomplicated firewall. It is used for managing a Linux firewall and aims to provide an easy to use interface for the user. It works on Ubuntu, Debian, Fedora, CentOS, Arch Linux and many other Linux distros. To add a comment for the ufw rule:
$ sudo ufw rule comment 'my comment here'
Open port 53 and write a comment about rule too:
$ sudo ufw allow 53 comment 'open tcp and udp port 53 for dns'
Another example:
$ sudo ufw allow proto tcp from any to any port 80,443 comment 'Open web app ports'
Run the following command to view them:
$ sudo ufw status

How to add comments to existing iptables rule

You need to use the replace syntax:
iptables -R chain rulenum rule-specification
Let us list existing rule with the following iptables command:
# iptables -t filter -L INPUT -n --line-number
Sample outputs:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* generated for LXD network lxdbr0 */
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* generated for LXD network lxdbr0 */
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67 /* generated for LXD network lxdbr0 */
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
8    DROP       all  --  202.54.1.1           0.0.0.0/0            /* DROP spam IP address */
9    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* block HTTPD access */
10   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* block HTTPDS access */
11   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25

The last rule (#11) says DROP traffic to port 25. To add comment to this rule, run:
# iptables -R INPUT 11 -p tcp --dport 25 -j DROP -m comment --comment "Block port 25"
# iptables -t filter -L INPUT -n --line-number

Sample outputs:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* generated for LXD network lxdbr0 */
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* generated for LXD network lxdbr0 */
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67 /* generated for LXD network lxdbr0 */
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
8    DROP       all  --  202.54.1.1           0.0.0.0/0            /* DROP spam IP address */
9    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* block HTTPD access */
10   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* block HTTPDS access */
11   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25 /* Block port 25 */

Conclusion

You just added comments to iptables rules. It is beneficial for maintaining rules in the long run for sure. For more info see this page here or man pages:
$ man iptables
$ man iptables-extensions


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 4 comments so far... add one

CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one
  • Archu Dec 24, 2020 @ 8:22

    Hi,

    Very useful. I am using this with firewall-cmd/FirewallD on RHEL 8. Do you think it will create issue?

    firewall-cmd --direct --add-rule {table} {chain} {priority} {more_args} -c "comment here"
    • 🐧 Vivek Gite Dec 24, 2020 @ 8:28

      > Do you think it will create issue?
      No. If you are uncertain about firewall-cmd syntax and if in doubt, consult your man page.

      man firewall-cmd
  • Kevin Deeb Feb 18, 2021 @ 8:39

    I can be extremely handy if you have some obscure rules for odd situations. I can proposal to add comment for all Docker added iptables rules so that they can be easily identified. Just for the ones that don’t know.

    • 🐧 Vivek Gite Feb 18, 2021 @ 8:54

      The following will show docker rules:

      iptables -L -n -v | grep -i docker

      But, yes they should add comment by default.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz