CentOS - Apr 2011 - Adding comments to /etc/sysconfig/iptables

Hello,

I'm a user (and big fan) of CentOS 5.6 and in my /etc/sysconfig/iptables
there are few blocking rules for some annoying visitors of my website
(I run a card game there since many years and some people are
"special"):

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [294:35064]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s xx.xx.xx.0/24 -j DROP
-A INPUT -s xx.xx.xx.0/24 -j DROP
-A INPUT -s xx.xx.xx.0/24 -j DROP
-A INPUT -s xx.xx.xx.0/24 -j DROP
-A INPUT -s xx.xx.xx.0/24 -j DROP
-A INPUT -s xx.xx.0.0/16 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports
80,8080,443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 \
  --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst
2 -j ACCEPT
COMMIT

My problem is that I often don't remember
why and when a blocking rule had been added.

Is there a way to add comments to the iptables file?
A hash mark # does not seem to work.

If comments not possible, please share few tricks -
how do YOU usually use iptables on CentOS,
i.e. there is "sudo service iptables save",
but I've yet to discover its usefulness

Regards
Alex

Alexander Farber wrote:
<snip>
> Is there a way to add comments to the iptables file?
> A hash mark # does not seem to work.
assuming you are talking about /etc/sysconfig/iptables , hash is indeed 
the comment mark, and works fine.
In my file on this system all comment lines have a hash as first 
character on the line though, so perhaps it doesn't like end-of-line 
comments but only accepts full lines of comment.

Alexander Farber wrote on Sun, 24 Apr 2011 09:04:30 +0200:
> i.e. there is "sudo service iptables save",
> but I've yet to discover its usefulness
You can add rules on the fly and save them. For instance, I have a certain 
"starter script" with iptables rules and other filtering stuff grown
over
the years. I adapt that, put it on new machines and run it once. Then I 
save that and only add rules to it from the command line. If I know I want 
to keep them I save them, otherwise I don't and they will finally go away 
with the next reboot (e.g. abused mailservers or spambots usually last 
only for a few days). If there are rules, that I want to keep for longer 
and/or distribute to other machines I put them in the starter script.

Kai

On Sunday, April 24, 2011 9:04 AM +0200 Alexander Farber 
<alexander.farber at gmail.com> wrote:
> If comments not possible, please share few tricks -
> how do YOU usually use iptables on CentOS,
> i.e. there is "sudo service iptables save",
> but I've yet to discover its usefulness
I keep related rules in a named sub-chain. For example, I have a sub-chain 
just for black-listing spammers.