1st Commandment: Always comment your iptables rules

1st Commandment: You shall always comment your iptables rules.

If you are writing an iptables rule, you need to comment it. Period. Whenever someone is trying to understand what is going on with your system and they run iptables -nvL and they see something like this (from our previous post on blocking custom domains via DNS):

# iptables -nvL
 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match  "|03777777076578616d706c6503636f6d|" ALGO name bm TO 65535

You know they won’t understand it and will take quite a bit to see what it is going on. So do everyone a favor (specially your co-workers and your future-self) and always add -m comment –comment “COMMENT” to the end of all your rules.

Using the same example from our previous block post, that’s how we should have written it:

/sbin/iptables -I INPUT -p udp --dport 53 -m string --hex-string "|03|www|07|example|03|com|000001|" --algo bm -j DROP -m comment --comment "Blocking UDP/53 All DNS A lookups for www.example.com"

And that’s it.

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *