What's new

how to add comment to iptables ??

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Phylion

Occasional Visitor
Since the output op iptables -L FORWARD -v -n shows some kind of comments, it seems te be possible to add comments to iptables rules.

But everything I find online, uses -m comment --comment "comment text".

That command syntax does unfortunately not work. So does anyone know the syntax in Asus firmware?
 
The comment module isn't available in the firmware.
 
Thank you for confirming my suspection.

But when I run iptables I get the following lines:

Code:
admin@Galaxy:/tmp/home/root# iptables -L FORWARD -v -n -x | grep 192.168.2
     314    32857 ACCEPT     all  --  *      *       192.168.2.161        0.0.0.0/0
     362   109362 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.2.161
    1721   208642 ACCEPT     all  --  *      *       192.168.2.145        0.0.0.0/0
    1594   862511 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.2.145
   77507 62724454            all  --  ppp0   br0     0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.2.0/255.255.255.0 name: lan
   73704 11268097            all  --  br0    ppp0    0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.2.0/255.255.255.0 name: lan
       0        0            all  --  usb    br0     0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.2.0/255.255.255.0 name: lan
       0        0            all  --  br0    usb     0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.2.0/255.255.255.0 name: lan

Here I assume that the text "account: network/netmask: 192.168.2.0/255.255.255.0 name: lan" is a comment. So I looks like it should be possible.
 
Thank you for confirming my suspection.

But when I run iptables I get the following lines:

Code:
admin@Galaxy:/tmp/home/root# iptables -L FORWARD -v -n -x | grep 192.168.2
     314    32857 ACCEPT     all  --  *      *       192.168.2.161        0.0.0.0/0
     362   109362 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.2.161
    1721   208642 ACCEPT     all  --  *      *       192.168.2.145        0.0.0.0/0
    1594   862511 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.2.145
   77507 62724454            all  --  ppp0   br0     0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.2.0/255.255.255.0 name: lan
   73704 11268097            all  --  br0    ppp0    0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.2.0/255.255.255.0 name: lan
       0        0            all  --  usb    br0     0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.2.0/255.255.255.0 name: lan
       0        0            all  --  br0    usb     0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.2.0/255.255.255.0 name: lan

Here I assume that the text "account: network/netmask: 192.168.2.0/255.255.255.0 name: lan" is a comment. So I looks like it should be possible.

No, it's not a comment. It's part of the rule for ipt_account.
 
Then I really have no clue how that's working, since i cannot remember anything read on that with iptables.
but what I had in mind, will not work. So I have to document it the old way.
 
Is this the reason why vpn traffic using openvpn does not show up in the traffic logs?

This could be a handy feature because that way it is possible to monitor mobile traffic at a central point.
 
Is this the reason why vpn traffic using openvpn does not show up in the traffic logs?

This could be a handy feature because that way it is possible to monitor mobile traffic at a central point.

What are you talking about? I don't see the relation with the absence of the comment module.
 
I assumed that "account: network/netmask: 192.168.2.0/255.255.255.0 name: lan" was a comment. You made clear that it has to do with ipt_account.

And as far as I understand is ipt_account for the traffic part of the web gui.

So the relation is the strange connection in my head I guess ;-)
 
I assumed that "account: network/netmask: 192.168.2.0/255.255.255.0 name: lan" was a comment. You made clear that it has to do with ipt_account.

And as far as I understand is ipt_account for the traffic part of the web gui.

So the relation is the strange connection in my head I guess ;-)

It's not a comment. Please re-read my answer in post #4.
 
I fully understand your answer regarding it is not a comment.

But are those firewall rules the base for the traffic monitoring pages?
 
I fully understand your answer regarding it is not a comment.

But are those firewall rules the base for the traffic monitoring pages?

Correct - only for the IPTraffic tho (the per-IP part).

Traffic monitoring for VPN tunnels would be tricky to implement, due to how iptraffic works (both the module and the firmware-level implementation).
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top