Iptables comments

When working as a team, sharing information is critical. Nothing beats inline comments for this, as programmers and *nix admins will appreciate. For years I've been frustrated with the lack of comments in our *nix iptables files. What is this rule? Who put this here? Is it still valid? One could put helpful comments in the /etc/sysconfig/iptables file, but they'd be overwritten if anyone ran "iptables-save" or "service iptables save" (the latter being recent and pleasant discovery).

Like most things *nix, the answer has been there all along I just never looked in the right place for it. Strangely, i found this one in the man page for iptables. Fancy that! Simply add an additional packet patching module, in this case the comment module, in your rule definition. Rules and caveats:

• It can be anywhwere in the rule _before_ the -j or "jump" bit.
• It is limited to 245 characters.
• There is only one directive used by the comment module: --comment ""
• Remember to wrap your comment in _double_ quotes

[root@localhost]#iptables -I INPUT 1 -d 10.10.10.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "This is a comment" -j ACCEPT


results in:
[root@localhost]#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.10.10.0/24 anywhere state NEW tcp dpt:ssh /* this is a comment */

Remember to run "service iptables save". Enjoy!