In earlier times I used a commented bash script to setup the rules after booting, but using Gentoo nowadays there is a nice init script saving and restoring my tables. Using this I stopped commenting the firewall rules, but yesterday I found a very nice solution for this problem.

Iptables has a special “match” for comments. You have to enable it in your kernel config like

  [*] Networking support  --->
     Networking options
        [*] Network packet filtering framework (Netfilter)  --->
           Core Netfilter Configuration  --->
              -*- Netfilter Xtables support (required for ip_tables)
              <*>   "comment" match support

or as a module.

Then you’re able to add rules like

iptables -A INPUT -m state --state RELATED,ESTABLISHED \
  -m comment --comment "allow all established connections" -j ACCEPT

And if you list your rules you get something like

Chain INPUT (policy DROP)
target  prot opt source     destination
ACCEPT  all  --  anywhere   anywhere   state RELATED,ESTABLISHED
                                       /* allow all established connections */

It’s a pity that I never saw this in any iptables tutorials.