Hello,
I'm a user (and big fan) of CentOS 5.6 and in my /etc/sysconfig/iptables there are few blocking rules for some annoying visitors of my website (I run a card game there since many years and some people are "special"):
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [294:35064] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s xx.xx.xx.0/24 -j DROP -A INPUT -s xx.xx.xx.0/24 -j DROP -A INPUT -s xx.xx.xx.0/24 -j DROP -A INPUT -s xx.xx.xx.0/24 -j DROP -A INPUT -s xx.xx.xx.0/24 -j DROP -A INPUT -s xx.xx.0.0/16 -j DROP -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,8080,443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 \ --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT COMMIT
My problem is that I often don't remember why and when a blocking rule had been added.
Is there a way to add comments to the iptables file? A hash mark # does not seem to work.
If comments not possible, please share few tricks - how do YOU usually use iptables on CentOS, i.e. there is "sudo service iptables save", but I've yet to discover its usefulness
Regards Alex
Alexander Farber wrote: <snip>
Is there a way to add comments to the iptables file? A hash mark # does not seem to work.
assuming you are talking about /etc/sysconfig/iptables , hash is indeed the comment mark, and works fine. In my file on this system all comment lines have a hash as first character on the line though, so perhaps it doesn't like end-of-line comments but only accepts full lines of comment.
Ouch you're correct. I only tried end-of-line comments, sorry
On Sun, Apr 24, 2011 at 9:30 AM, Nicolas Thierry-Mieg Nicolas.Thierry-Mieg@imag.fr wrote:
Alexander Farber wrote:
Is there a way to add comments to the iptables file? A hash mark # does not seem to work.
assuming you are talking about /etc/sysconfig/iptables , hash is indeed the comment mark, and works fine. In my file on this system all comment lines have a hash as first character on the line though, so perhaps it doesn't like end-of-line comments but only accepts full lines of comment.
assuming you are talking about /etc/sysconfig/iptables , hash is indeed the comment mark, and works fine. In my file on this system all comment lines have a hash as first character on the line though, so perhaps it doesn't like end-of-line comments but only accepts full lines of comment.
FYI, using iptable comments commands are even more useful as they are displayed whenever you actually list the rules (e.g. via "service iptables status). For example:
-A INPUT -s 10.0.0.2 -m comment --comment "I am an example comment" -j DROP
Alexander Farber wrote on Sun, 24 Apr 2011 09:04:30 +0200:
i.e. there is "sudo service iptables save", but I've yet to discover its usefulness
You can add rules on the fly and save them. For instance, I have a certain "starter script" with iptables rules and other filtering stuff grown over the years. I adapt that, put it on new machines and run it once. Then I save that and only add rules to it from the command line. If I know I want to keep them I save them, otherwise I don't and they will finally go away with the next reboot (e.g. abused mailservers or spambots usually last only for a few days). If there are rules, that I want to keep for longer and/or distribute to other machines I put them in the starter script.
Kai
On Sunday, April 24, 2011 9:04 AM +0200 Alexander Farber alexander.farber@gmail.com wrote:
If comments not possible, please share few tricks - how do YOU usually use iptables on CentOS, i.e. there is "sudo service iptables save", but I've yet to discover its usefulness
I keep related rules in a named sub-chain. For example, I have a sub-chain just for black-listing spammers.
-
Alexander Farber -
Geoff Galitz -
Kai Schaetzl -
Kenneth Porter -
Nicolas Thierry-Mieg