Tutorial on annotating iptables rules in Linux system

Time:2021-11-29

Add comments to iptables rules to make a good impression on your boss and colleagues. The method is as follows:

What are iptables annotations?

The annotation of iptables is generally used after each rule, and the annotation is generally used/*   */ Wrap it. (see the notes in iptables rules below for details.)   /* allow   SSH to   this host   from   anywhere */ )

   

Copy code

The code is as follows:

$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED /* allow inbound traffic for established and related connections */
fail2ban-ssh tcp — anywhere anywhere multiport dports ssh
ACCEPT tcp — anywhere anywhere tcp dpt:ssh /* allow SSH to this host from anywhere */
ACCEPT udp — anywhere anywhere udp dpt:route /* allow incoming RIP on the internal interface */
ACCEPT all — localhost localhost /* allow any local-only traffic */
ACCEPT ipv6 — tserv2.ash1.he.net anywhere /* allow IPv6 tunnel traffic from HE */
ACCEPT icmp — anywhere anywhere /* allow ICMP traffic to this host from anywhere */</p>
<p> Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED /* allow inbound traffic for established and related connections */
ACCEPT all — anywhere anywhere /* allow all Internet bound traffic from the internal network */
ACCEPT icmp — anywhere anywhere /* forward any ICMP traffic */</p>
<p> Chain OUTPUT (policy ACCEPT)
target prot opt source destination</p>
<p> Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all — anywhere anywhere

 
Add comments for the new iptables rule

 

The syntax for adding comments to the new iptables rule is:   Comment — Comment “comment text to add”
Specific examples: add a rule that allows SSH traffic to pass through, and add comments to this rule:

Copy code

The code is as follows:

$ sudo iptables -A INPUT -p tcp -m tcp –dport 22 -m comment –comment “allow SSH to this host from anywhere” -j ACCEPT

Then list the rules with – L, and you will see that the rules just added are the same as the following:

Copy code

The code is as follows:

$ sudo iptables -L</p>
<p>ACCEPT tcp — anywhere anywhere tcp dpt:ssh /* allow SSH to this host from anywhere */

The tutorial is over!