Most distro's have made firewalld, UFW, or some other fancy program their default firewalls. However, in my opinion IPTables/Netfilter still reigns supreme. I find it to be the best tool for the job on 90% of systems I work on. Although a firewall configuration with a lot of rules can still be difficult to read. Just like a long script, it is helpful to put comments. These comments allow others to easily identify what the rules do, especially if you are using specific source IP addresses. So in this Linux quick tip we will show you how to easily add comments to IPTables rules.
If you are unfamiliar with IPTables, you can read "Basics of IPTables".
Adding a Comment to IPTables Rules
The basic syntax of a comment is:
-m comment --comment "This is a comment"The above can be appended to the end of any IPTables rule. Let's take a look at some examples.
Let's say you want to allow Joe's workstation to access your machine on HTTPS, which is TCP port 443. It is easy enough to make the rule. But how about a couple years from now when another admin comes and looks at the firewall configuration. Will they know why this was done? Simple... Add comments to your iptables rules to explain why this was put in place like so:
iptables -I INPUT -p tcp -s 192.168.1.66 --dport 443 -j ACCEPT -m comment --comment "HTTPS from Joe's Workstation"In this next example, we will be DROP all traffic coming from a specific subnet. Obviously, we do not want the HR people accessing our secret media server.
[baremmig@fenrir ~]$ sudo iptables -I INPUT -p all -s 192.168.2.0/24 -j DROP -m comment --comment "Block HR Subnet from Media Server"
[baremmig@fenrir ~]$ sudo iptables -L -vn
Chain INPUT (policy ACCEPT 83599 packets, 198M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 192.168.2.0/24 0.0.0.0/0 /* Block HR Subnet from Media Server */
...OUTPUT TRUNCATED...Once the rule and comment is added you can verify it by using the -L -vn options. This is my preferred way of reading iptables.
NOTE: -L means list, while -vn mean verbose and numeric output.
$ sudo iptables -L -vn
Chain INPUT (policy ACCEPT 70540 packets, 100M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.1.66 0.0.0.0/0 tcp dpt:443 /* HTTPS From Joe's Workstation */That's it, you just learned how to add a comments to iptables rules.
IPTables is a very robust firewall management program. It might seem a little intimidating at first. But, once you give it a chance you will love the power and flexibility it provides. Below are links to other interesting and non-standard uses for IPTables along with some resources for further reading.