{"id":488,"date":"2014-10-21T18:25:58","date_gmt":"2014-10-21T10:25:58","guid":{"rendered":"http:\/\/www.ipcpu.com\/?p=488"},"modified":"2014-10-21T18:25:58","modified_gmt":"2014-10-21T10:25:58","slug":"add-comments-iptables","status":"publish","type":"post","link":"https:\/\/c.ipcpu.com\/2014\/10\/add-comments-iptables\/","title":{"rendered":"\u5982\u4f55\u7ed9iptables\u52a0\u6ce8\u91caAdd Comments to iptables Rules"},"content":{"rendered":"<div id=\"MathJax_Message\" style=\"display: none;\"><\/div>\n<h2 id=\"wiz_toc_0\">Add Comments to iptables Rules<\/h2>\n<p>By Scott Miller+ | 2014\/06\/03<\/p>\n<p><img decoding=\"async\" src=\"\/\/www.ipcpu.com\/wp-content\/uploads\/2016\/01\/wpid-9ad9097e520280101e212ae458d7aee3_07f830ff-5609-494d-9bb1-5971dcecc3f4.jpg\" alt=\"\"><\/p>\n<p>Impress your boss and co-workers by using comments in your iptables rules. Here\u2019s how it works!<\/p>\n<h3 id=\"wiz_toc_1\">What are iptables comments?<\/h3>\n<p>Comments appear as follows when in use. (Ex: \/* allow SSH to this host from anywhere *\/ as seen below.)<\/p>\n<pre class=\"prettyprint linenums prettyprinted\" style=\"\"><ol class=\"linenums\"><li class=\"L0\"><code><span class=\"pln\">$ sudo iptables <\/span><span class=\"pun\">-<\/span><span class=\"pln\">L<\/span><\/code><\/li><li class=\"L1\"><code><span class=\"typ\">Chain<\/span><span class=\"pln\"> INPUT <\/span><span class=\"pun\">(<\/span><span class=\"pln\">policy DROP<\/span><span class=\"pun\">)<\/span><\/code><\/li><li class=\"L2\"><code><span class=\"pln\">target     prot opt source               destination         <\/span><\/code><\/li><li class=\"L3\"><code><span class=\"pln\">ACCEPT     all  <\/span><span class=\"pun\">--<\/span><span class=\"pln\">  anywhere             anywhere             state RELATED<\/span><span class=\"pun\">,<\/span><span class=\"pln\">ESTABLISHED <\/span><span class=\"com\">\/* allow inbound traffic for established and related connections *\/<\/span><\/code><\/li><li class=\"L4\"><code><span class=\"pln\">fail2ban<\/span><span class=\"pun\">-<\/span><span class=\"pln\">ssh  tcp  <\/span><span class=\"pun\">--<\/span><span class=\"pln\">  anywhere             anywhere             multiport dports ssh<\/span><\/code><\/li><li class=\"L5\"><code><span class=\"pln\">ACCEPT     tcp  <\/span><span class=\"pun\">--<\/span><span class=\"pln\">  anywhere             anywhere             tcp dpt<\/span><span class=\"pun\">:<\/span><span class=\"pln\">ssh <\/span><span class=\"com\">\/* allow SSH to this host from anywhere *\/<\/span><\/code><\/li><li class=\"L6\"><code><span class=\"pln\">ACCEPT     udp  <\/span><span class=\"pun\">--<\/span><span class=\"pln\">  anywhere             anywhere             udp dpt<\/span><span class=\"pun\">:<\/span><span class=\"pln\">route <\/span><span class=\"com\">\/* allow incoming RIP on the internal interface *\/<\/span><\/code><\/li><li class=\"L7\"><code><span class=\"pln\">ACCEPT     all  <\/span><span class=\"pun\">--<\/span><span class=\"pln\">  localhost            localhost            <\/span><span class=\"com\">\/* allow any local-only traffic *\/<\/span><\/code><\/li><li class=\"L8\"><code><span class=\"pln\">ACCEPT     ipv6 <\/span><span class=\"pun\">--<\/span><span class=\"pln\">  tserv2<\/span><span class=\"pun\">.<\/span><span class=\"pln\">ash1<\/span><span class=\"pun\">.<\/span><span class=\"pln\">he<\/span><span class=\"pun\">.<\/span><span class=\"pln\">net   anywhere             <\/span><span class=\"com\">\/* allow IPv6 tunnel traffic from HE *\/<\/span><\/code><\/li><li class=\"L9\"><code><span class=\"pln\">ACCEPT     icmp <\/span><span class=\"pun\">--<\/span><span class=\"pln\">  anywhere             anywhere             <\/span><span class=\"com\">\/* allow ICMP traffic to this host from anywhere *\/<\/span><\/code><\/li><li class=\"L0\"><code><\/code><\/li><li class=\"L1\"><code><span class=\"typ\">Chain<\/span><span class=\"pln\"> FORWARD <\/span><span class=\"pun\">(<\/span><span class=\"pln\">policy DROP<\/span><span class=\"pun\">)<\/span><\/code><\/li><li class=\"L2\"><code><span class=\"pln\">target     prot opt source               destination         <\/span><\/code><\/li><li class=\"L3\"><code><span class=\"pln\">ACCEPT     all  <\/span><span class=\"pun\">--<\/span><span class=\"pln\">  anywhere             anywhere             state RELATED<\/span><span class=\"pun\">,<\/span><span class=\"pln\">ESTABLISHED <\/span><span class=\"com\">\/* allow inbound traffic for established and related connections *\/<\/span><\/code><\/li><li class=\"L4\"><code><span class=\"pln\">ACCEPT     all  <\/span><span class=\"pun\">--<\/span><span class=\"pln\">  anywhere             anywhere             <\/span><span class=\"com\">\/* allow all Internet bound traffic from the internal network *\/<\/span><\/code><\/li><li class=\"L5\"><code><span class=\"pln\">ACCEPT     icmp <\/span><span class=\"pun\">--<\/span><span class=\"pln\">  anywhere             anywhere             <\/span><span class=\"com\">\/* forward any ICMP traffic *\/<\/span><\/code><\/li><li class=\"L6\"><code><\/code><\/li><li class=\"L7\"><code><span class=\"typ\">Chain<\/span><span class=\"pln\"> OUTPUT <\/span><span class=\"pun\">(<\/span><span class=\"pln\">policy ACCEPT<\/span><span class=\"pun\">)<\/span><\/code><\/li><li class=\"L8\"><code><span class=\"pln\">target     prot opt source               destination         <\/span><\/code><\/li><li class=\"L9\"><code><\/code><\/li><li class=\"L0\"><code><span class=\"typ\">Chain<\/span><span class=\"pln\"> fail2ban<\/span><span class=\"pun\">-<\/span><span class=\"pln\">ssh <\/span><span class=\"pun\">(<\/span><span class=\"lit\">1<\/span><span class=\"pln\"> references<\/span><span class=\"pun\">)<\/span><\/code><\/li><li class=\"L1\"><code><span class=\"pln\">target     prot opt source               destination         <\/span><\/code><\/li><li class=\"L2\"><code><span class=\"pln\">RETURN     all  <\/span><span class=\"pun\">--<\/span><span class=\"pln\">  anywhere             anywhere  <\/span><\/code><\/li><\/ol><\/pre>\n<h3 id=\"wiz_toc_2\">Create comments with iptables rules<\/h3>\n<p>To make comments with your iptables rules, the syntax is: comment \u2013comment \u201cmy cool text\u201d<\/p>\n<p>Here is a rule to allow ssh traffic with a comment added:<\/p>\n<pre class=\"prettyprint linenums prettyprinted\" style=\"\"><ol class=\"linenums\"><li class=\"L0\"><code><span class=\"pln\">$ sudo iptables <\/span><span class=\"pun\">-<\/span><span class=\"pln\">A INPUT <\/span><span class=\"pun\">-<\/span><span class=\"pln\">p tcp <\/span><span class=\"pun\">-<\/span><span class=\"pln\">m tcp <\/span><span class=\"pun\">--<\/span><span class=\"pln\">dport <\/span><span class=\"lit\">22<\/span><span class=\"pln\"> <\/span><span class=\"pun\">-<\/span><span class=\"pln\">m comment <\/span><span class=\"pun\">--<\/span><span class=\"pln\">comment <\/span><span class=\"str\">\"allow SSH to this host from anywhere\"<\/span><span class=\"pln\"> <\/span><span class=\"pun\">-<\/span><span class=\"pln\">j ACCEPT<\/span><\/code><\/li><\/ol><\/pre>\n<p>This rule then appears as following when listing rules:<\/p>\n<pre class=\"prettyprint linenums prettyprinted\" style=\"\"><ol class=\"linenums\"><li class=\"L0\"><code><span class=\"pln\">$ sudo iptables <\/span><span class=\"pun\">-<\/span><span class=\"pln\">L<\/span><\/code><\/li><li class=\"L1\"><code><span class=\"pln\">ACCEPT     tcp  <\/span><span class=\"pun\">--<\/span><span class=\"pln\">  anywhere             anywhere             tcp dpt<\/span><span class=\"pun\">:<\/span><span class=\"pln\">ssh <\/span><span class=\"com\">\/* allow SSH to this host from anywhere *\/<\/span><\/code><\/li><\/ol><\/pre>\n<p>Hack on,<\/p>\n<p>Tags: comments, documentation, firewall, firewall rules, iptables, linux, linux firewall, security<\/p>\n<p>\u539f\u6587\u5730\u5740\uff1a <a href=\"https:\/\/scottlinux.com\/2014\/06\/03\/add-comments-to-iptables-rules\/\">https:\/\/scottlinux.com\/2014\/06\/03\/add-comments-to-iptables-rules\/<\/a><\/p>\n<p>\u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1a<a href=\"https:\/\/c.ipcpu.com\">IPCPU-\u7f51\u7edc\u4e4b\u8def<\/a> &raquo; <a href=\"https:\/\/c.ipcpu.com\/2014\/10\/add-comments-iptables\/\">\u5982\u4f55\u7ed9iptables\u52a0\u6ce8\u91caAdd Comments to iptables Rules<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>Add Comments to iptables Rules By Scott Miller+ | 2014\/06\/03 Impress your boss and co-workers by using comments in your iptables rules. Here\u2019s how it works! What are iptables comments? Comments appear as follows when in use. (Ex: \/* allow SSH to this host from anywhere *\/ as seen below.) $ sudo iptables -LChain INPUT [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,1],"tags":[54,17],"_links":{"self":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/488"}],"collection":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/comments?post=488"}],"version-history":[{"count":0,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/488\/revisions"}],"wp:attachment":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/media?parent=488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/categories?post=488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/tags?post=488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}