How to add comments to iptables rules on Linux

See all GNU/Linux related FAQ
I am a new Linux sysadmin. How can I add comments to iptables rules on Linux using the iptables command?

Introduction: The iptables and ip6tables commands are used to set up, maintain, and firewall rules on the Linux. You can define various tables. Each table contains a number of built-in chains moreover, may also contain user-defined chains. You can add comments to iptables using the -m comment --comment "COMMENT TEXT" syntax. They can be instrumental in understanding firewall rules. This page shows how to add comments to iptables rules with useful examples.
Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements Linux terminal
Category Firewall
OS compatibility AlmaLinux Arch Debian Fedora Linux Mint openSUSE RHEL Rocky Stream SUSE Ubuntu
Est. reading time 5 minutes
Advertisement

How to add comments to iptables rules on Linux

The syntax is as follows to add a comment to a iptables rule:
# iptables -m comment --comment "My comments here"

WARNING: All iptables/ip6tables commands must run as root/sysadmin user. Otherwise you will see an error, Fatal: can't open lock file /run/xtables.lock: Permission denied.

Adding a comments to iptables rules

For example, add a comments as follows for DROP rule:
# iptables -A INPUT -i eth1 -m comment --comment "my LAN - " -j DROP
## IPv6 version ##
# ip6tables -m comment --comment "comment here"
# ip6tables -A INPUT -i eth1 -m comment --comment "my LAN - " -j DROP

You are allowed to add comments up to 256 characters to any rule. Let us see some more examples.

Where are my comments displayed?

The iptables comment appears when you try to list iptables rules using the following syntax:
# iptables -L
# iptables -t filter -L FORWARD
# iptables -t nat -L
# iptables -t nat -L -n -v | more
# iptables -t nat -L PREROUTING
# iptables -t nat -L PREROUTING -n -v --line-number
# dump all rules on screen #
# iptables -S

List iptables comments
For IPv6 version, try:
# ip6tables -L
# ip6tables -t filter -L FORWARD
# ip6tables -t nat -L
# ip6tables -t nat -L -n -v | more
# ip6tables -t nat -L PREROUTING
# ip6tables -t nat -L PREROUTING -n -v --line-number
# ip6tables -S

See how to list all iptables rules with line numbers on Linux for more info.

Adding comments to iptables rules

Let us drop or block an IP address of spammer using iptables and add comment too:
# iptables -A INPUT -s 202.54.1.1 -j DROP -m comment --comment "DROP spam IP address - "
Also block port 80 and 443 (HTTP/HTTPS) along with comment:
# iptables -A INPUT -p tcp --dport 80 -m comment --comment "block HTTPD access - " -j DROP
# iptables -A INPUT -p tcp --dport 443 -m comment --comment "block HTTPDS access - " -j DROP

Verify it:
# iptables -t filter -L INPUT -n

Add comments to iptables rules on Linux

Click to enlarge

Create comments with iptables firewall for NAT rules

Here I am directly editing iptables config file /etc/sysconfig/iptables on a CentOS/RHEL and adding rules:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -d 192.168.2.201 -p tcp --dport 1:65535 -j DNAT --to-destination 192.168.122.229:1-65535 -m comment --comment "KVM hos to rhel7-nixcraft VM port forwarding"
COMMIT

You must reload the firewall. Verify it:
$ sudo iptables -t nat -L -n -v

Adding comments to ufw firewall rules

UFW is an acronym for uncomplicated firewall. It is used for managing a Linux firewall and aims to provide an easy to use interface for the user. It works on Ubuntu, Debian, Fedora, CentOS, Arch Linux and many other Linux distros. To add a comment for the ufw rule:
$ sudo ufw rule comment 'my comment here'
Open port 53 and write a comment about rule too:
$ sudo ufw allow 53 comment 'open tcp and udp port 53 for dns'
Another example:
$ sudo ufw allow proto tcp from any to any port 80,443 comment 'Open web app ports'
Run the following command to view them:
$ sudo ufw status

How to add comments to existing iptables rule

You need to use the replace syntax:
# iptables -R chain rulenum rule-specification
Let us list existing rule with the following iptables command:
# iptables -t filter -L INPUT -n --line-number
Sample outputs:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* generated for LXD network lxdbr0 */
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* generated for LXD network lxdbr0 */
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67 /* generated for LXD network lxdbr0 */
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
8    DROP       all  --  202.54.1.1           0.0.0.0/0            /* DROP spam IP address */
9    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* block HTTPD access */
10   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* block HTTPDS access */
11   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25

The last rule (#11) says DROP traffic to port 25. To add comment to this rule, run:
# iptables -R INPUT 11 -p tcp --dport 25 -j DROP -m comment --comment "Block port 25"
# iptables -t filter -L INPUT -n --line-number

Sample outputs:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* generated for LXD network lxdbr0 */
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* generated for LXD network lxdbr0 */
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67 /* generated for LXD network lxdbr0 */
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
8    DROP       all  --  202.54.1.1           0.0.0.0/0            /* DROP spam IP address */
9    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* block HTTPD access */
10   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* block HTTPDS access */
11   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25 /* Block port 25 */

Conclusion

You just added comments to iptables rules using the -m comment --comment "COMMENT1" syntax. It is beneficial for maintaining rules in the long run for sure. For more info see this page here or man pages using the man command or help command as follows:
$ man iptables
$ man iptables-extensions

See all our iptables command examples.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

6 comments… add one
  • Archu Dec 24, 2020 @ 8:22

    Hi,

    Very useful. I am using this with firewall-cmd/FirewallD on RHEL 8. Do you think it will create issue?

    firewall-cmd --direct --add-rule {table} {chain} {priority} {more_args} -c "comment here"
    • 🛡️ Vivek Gite (Author and Admin) Vivek Gite Dec 24, 2020 @ 8:28

      > Do you think it will create issue?
      No. If you are uncertain about firewall-cmd syntax and if in doubt, consult your man page.

      man firewall-cmd
  • Kevin Deeb Feb 18, 2021 @ 8:39

    I can be extremely handy if you have some obscure rules for odd situations. I can proposal to add comment for all Docker added iptables rules so that they can be easily identified. Just for the ones that don’t know.

    • 🛡️ Vivek Gite (Author and Admin) Vivek Gite Feb 18, 2021 @ 8:54

      The following will show docker rules:

      iptables -L -n -v | grep -i docker

      But, yes they should add comment by default.

  • Trina Meskill Apr 8, 2021 @ 4:33

    Excelente. Agradeço encontrar e adicionar um comentário às regras de iptables no Linux.

  • Sarika Joshi Mar 7, 2022 @ 10:24

    To add a comment to a iptables rule, append the following line to the end of the firewall rule:

    -m comment --comment "block spammers"

    Here is an example on how add a comment to a iptables rule in the INPUT chain to block spam from 10.8.0.1:

    sudo /sbin/iptables -I INPUT -i eth0 -s 10.8.0.1 -j DROP -m comment --comment "block spammer" 

    Then you can verify that the comment was added by issuing the following command at the command prompt:

    sudo /sbin/iptables -L INPUT -n -v

    Please don’t forget to save your firewall rules.

    sudo iptables-save > /path/to/your/config

    I found guide how to save iptables firewall rules permanently on Linux useful too. Thank you, Vivek Sir.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.