commenting iptables rules

I often use iptables (or ip6tables, the IPv6 version of iptables) to implemented firewall rules on my linux systems.

In earlier times I used a commented bash script to setup the rules after booting, but using Gentoo nowadays there is a nice init script saving and restoring my tables. Using this I stopped commenting the firewall rules, but yesterday I found a very nice solution for this problem.

Iptables has a special “match” for comments. You have to enable it in your kernel config like

  [*] Networking support  --->
     Networking options
        [*] Network packet filtering framework (Netfilter)  --->
           Core Netfilter Configuration  --->
              -*- Netfilter Xtables support (required for ip_tables)
              <*>   "comment" match support

or as a module.

Then you’re able to add rules like

iptables -A INPUT -m state --state RELATED,ESTABLISHED \
  -m comment --comment "allow all established connections" -j ACCEPT

And if you list your rules you get something like

Chain INPUT (policy DROP)
target  prot opt source     destination
ACCEPT  all  --  anywhere   anywhere   state RELATED,ESTABLISHED
                                       /* allow all established connections */

It’s a pity that I never saw this in any iptables tutorials.

If you like this article, feel free to flattr it:

Apr07

Post Info

15:29
April 7, 2009
1 Comment
Permalink
English

Social

One Response to “commenting iptables rules”

Reply | Quote
Lindsay | #1
November 5, 2009 21:01

Note that the ability to select ‘”comments” match support” in the kernel config depends on the selection of “Advanced netfilter configuration” in the Network packet filtering framework menu. If this kernel option isn’t on, then the comments option won’t appear in the Core Netfilter Configuration menu.

twam.info