If you are writing an IPtables rule, you need to add comments.
Comments are imperative for your future self, and anyone that takes over your job, to better understand what the rule is doing.
For example, without comments, whenever someone is trying to understand what is going on with your system and they run iptables -nvL, they will see something like this (from our previous post on blocking custom domains via DNS):
# iptables -nvL
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match "|03777777076578616d706c6503636f6d|"
ALGO name bm TO 65535We can assure you they won’t understand it immediately. They might figure it out, but why not take the time to help them get there faster? So do everyone a favor (specially your co-workers and your future-self) and always add -m comment –comment “COMMENT” to the end of all your rules.
Using the same example from our previous block post, this is how we should have written it:
/sbin/iptables -I INPUT -p udp --dport 53 -m string --hex-string "|03|www|07|example|03|com|000001|"
--algo bm -j DROP -m comment --comment "Blocking UDP/53 All DNS A lookups for www.example.com"This will return something like the following the next time someone runs iptables -nvL
# iptables -nvL 0 0 DROP udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 STRING match “|03777777076578616d706c6503636f6d|” ALGO name bm TO 65535 “Blocking UDP/53 All DNS A lookups for www.example.com”