Add Comments to iptables Rules

By | 2014/06/03

Impress your boss and co-workers by using comments in your iptables rules. Here’s how it works!


What are iptables comments?

Comments appear as follows when in use. (Ex: /* allow SSH to this host from anywhere */ as seen below.)

$ sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* allow inbound traffic for established and related connections */
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh /* allow SSH to this host from anywhere */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:route /* allow incoming RIP on the internal interface */
ACCEPT     all  --  localhost            localhost            /* allow any local-only traffic */
ACCEPT     ipv6 --  tserv2.ash1.he.net   anywhere             /* allow IPv6 tunnel traffic from HE */
ACCEPT     icmp --  anywhere             anywhere             /* allow ICMP traffic to this host from anywhere */

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* allow inbound traffic for established and related connections */
ACCEPT     all  --  anywhere             anywhere             /* allow all Internet bound traffic from the internal network */
ACCEPT     icmp --  anywhere             anywhere             /* forward any ICMP traffic */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere  

Create comments with iptables rules

To make comments with your iptables rules, the syntax is: comment –comment “my cool text”

Here is a rule to allow ssh traffic with a comment added:

$ sudo iptables -A INPUT -p tcp -m tcp --dport 22 -m comment --comment "allow SSH to this host from anywhere" -j ACCEPT

This rule then appears as following when listing rules:

$ sudo iptables -L

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh /* allow SSH to this host from anywhere */

Hack on,