Version Française Security : Linux : adding comments to iptables rules While viewing all iptables rules from a terminal, it can be a pain to try to remember their meaning. Fortunately, a module can be used to add your own comments. That module is simply called comment. It can be quite useful : to remember what are those IP's/IP blocks that you blacklisted 6 months ago, add the date and the hour a rule has been setup or, for a Linux Newbie, a short but efficient explanation of that rule. To know how it works, just type : # iptables -m comment --help COMMENT match options: --comment COMMENT Attach a comment to a rule Quite self-explanatory. A quick look at the source code (xt_comment.h) will also tell us that the maximum length of the comment cannot exceed 256 characters : #define XT_MAX_COMMENT_LEN 256 Example of use : # allow loopback : iptables A INPUT -i lo -j ACCEPT -m comment --comment "allow loopback" # reject whois.sc/domaintools.com bots : iptables -A INPUT -s 64.246.160.0/19 -j DROP -m comment --comment "whois.sc bot" iptables -A INPUT -s 66.249.16.0/23 -j DROP -m comment --comment "domaintools bot #1" iptables -A INPUT -s 216.145.0.0/19 -j DROP -m comment --comment "domaintools bot #2" # reject Nexen (PHP tracker) bots : iptables -A INPUT -s 88.163.156.141 -j DROP -m comment --comment "nexen bot #1" iptables -A INPUT -s 217.174.223.0/24 -j DROP -m comment --comment "nexen bot #2" # reject Netcraft bots : iptables -A INPUT -s 83.138.189.96/29 -j DROP -m comment --comment "netcraft bot #1" iptables -A INPUT -s 194.72.238.0/24 -j DROP -m comment --comment "netcraft bot #2" # spammer fron Taiwan looking for SMTP open-replay : iptables -A INPUT -s 118.165.0.1/16 -p tcp --dport 25 -j DROP -m comment \ --comment "dynamic.hinet spam" # reject an IP (referer spam) + add timestamp : iptables -A INPUT -s 66.34.204.26 -j DROP -m comment \ --comment "keywordspy.com - 10/05 @ 17:53" Viewing all rules from a terminal : # iptables -L INPUT -nvx Chain INPUT (policy ACCEPT 1 packets, 328 bytes) target in out source destination ACCEPT lo * 0.0.0.0/0 0.0.0.0/0 /* allow loopback */ DROP * * 64.246.160.0/19 0.0.0.0/0 /* whois.sc bot */ DROP * * 66.249.16.0/23 0.0.0.0/0 /* domaintools bot #1 */ DROP * * 216.145.0.0/19 0.0.0.0/0 /* domaintools bot #2 */ DROP * * 88.163.156.141 0.0.0.0/0 /* nexen bot #1 */ DROP * * 217.174.223.0/24 0.0.0.0/0 /* nexen bot #2 */ DROP * * 83.138.189.96/29 0.0.0.0/0 /* netcraft bot #1 */ DROP * * 194.72.238.0/24 0.0.0.0/0 /* netcraft bot #2 */ DROP * * 118.165.0.0/16 0.0.0.0/0 tcp dpt:25 /* dynamic.hinet spam */ DROP * * 66.34.204.26 0.0.0.0/0 /* keywordspy.com - 10/05 @ 17:53 */