Add comments to IPTables firewall rules
Posted in Operating Systems, Linux, Fedora, Debian, Suse, Red Hat, Security, Network, Firewall, Tips on Wednesday, May 25, 2016 by cam
Instead of just documenting the IPTables configuration file eg: /etc/sysconfig/iptables with comments (#’s) you can also input comments as part of the ruleset itself. So when you perform iptables -L -v -n you get the following output:
root@server070:[~]: iptables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 64M 4727M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 474 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 202K 27M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 16 880 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 137M 38G ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 /* Syslog traffic */ 28 1664 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:514 /* Syslog traffic */ 41067 2050K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9997 /* Universal Forwarder traffic */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 /* Splunk SSL traffic */ 47 2564 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 /* Splunk web interface */ 14135 1313K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: ' 218K 21M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
All that you need to do use the following example in your configuration file:
root@server070:[~]: cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 514 -m comment --comment "Syslog traffic" -j ACCEPT -A INPUT -p tcp -m tcp --dport 514 -m comment --comment "Syslog traffic" -j ACCEPT -A INPUT -p tcp -m tcp --dport 9997 -m comment --comment "Universal Forwarder traffic" -j ACCEPT -A INPUT -p tcp -m tcp --dport 8089 -m comment --comment "Splunk SSL traffic" -j ACCEPT -A INPUT -p tcp -m tcp --dport 8000 -m comment --comment "Splunk web interface" -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Happy commenting!