How to add comments to iptables rules on Linux

last updated in Categories , , , , ,

I am a new Linux sysadmin. How can I add comments to iptables rules on Linux using the iptables command?

Introduction: The iptables and ip6tables commands are used to set up, maintain, and firewall rules on the Linux. You can define various tables. Each table contains a number of built-in chains moreover, may also contain user-defined chains. You can add comments to iptables. They can be instrumental in understanding firewall rules. This page shows how to add comments to iptables rules.

How to add comments to iptables rules on Linux

The syntax is as follows:
iptables -m comment --comment "comment here"
iptables -A INPUT -i eth1 -m comment --comment "my LAN - " -j DROP

You are allowed to add comments up to 256 characters to any rule. Let us see some examples.

Where are my comments displayed?

The iptables comment appears when you try to list iptables rules using the following syntax:
iptables -L
iptables -t filter -L FORWARD
iptables -t nat -L
iptables -t nat -L -n -v | more
iptables -t nat -L PREROUTING
iptables -t nat -L PREROUTING -n -v --line-number

List iptables comments

Adding comments to iptables rules

Let us drop or block an IP address of spammer using iptables and add comment too:
# iptables -A INPUT -s 202.54.1.1 -j DROP -m comment --comment "DROP spam IP address - "
Also block port 80 and 443 (HTTP/HTTPS) along with comment:
# iptables -A INPUT -p tcp --dport 80 -m comment --comment "block HTTPD access - " -j DROP
# iptables -A INPUT -p tcp --dport 443 -m comment --comment "block HTTPDS access - " -j DROP

Verify it:
# iptables -t filter -L INPUT -n

Add comments to iptables rules on Linux
Click to enlarge

Create comments with iptables firewall for NAT rules

Here I am directly editing iptables config file /etc/sysconfig/iptables on a CentOS and adding rules:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -d 192.168.2.201 -p tcp --dport 1:65535 -j DNAT --to-destination 192.168.122.229:1-65535 -m comment --comment "KVM hos to rhel7-nixcraft VM port forwarding"
COMMIT

You must reload the firewall. Verify it:
$ sudo iptables -t nat -L -n -v

Adding comments to ufw firewall rules

UFW is an acronym for uncomplicated firewall. It is used for managing a Linux firewall and aims to provide an easy to use interface for the user. It works on Ubuntu, Debian, Fedora, CentOS, Arch Linux and many other Linux distros. To add a comment for the ufw rule:
$ sudo ufw rule comment 'my comment here'
Open port 53 and write a comment about rule too:
$ sudo ufw allow 53 comment 'open tcp and udp port 53 for dns'
Another example:
$ sudo ufw allow proto tcp from any to any port 80,443 comment 'Open web app ports'

How to add comments to existing iptables rule

You need to use the replace syntax:
iptables -R chain rulenum rule-specification
Let us list existing rule with the following iptables command:
# iptables -t filter -L INPUT -n --line-number
Sample outputs:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* generated for LXD network lxdbr0 */
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* generated for LXD network lxdbr0 */
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67 /* generated for LXD network lxdbr0 */
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
8    DROP       all  --  202.54.1.1           0.0.0.0/0            /* DROP spam IP address */
9    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* block HTTPD access */
10   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* block HTTPDS access */
11   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25

The last rule (#11) says DROP traffic to port 25. To add comment to this rule, run:
# iptables -R INPUT 11 -p tcp --dport 25 -j DROP -m comment --comment "Block port 25"
# iptables -t filter -L INPUT -n --line-number

Sample outputs:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* generated for LXD network lxdbr0 */
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* generated for LXD network lxdbr0 */
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67 /* generated for LXD network lxdbr0 */
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
8    DROP       all  --  202.54.1.1           0.0.0.0/0            /* DROP spam IP address */
9    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* block HTTPD access */
10   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* block HTTPDS access */
11   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25 /* Block port 25 */

Conclusion

You just added comments to iptables rules. It is beneficial for maintaining rules in the long run for sure. For more info see this page here or man pages:
$ man iptables
$ man iptables-extensions

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Join the discussion at www.nixcraft.com