From 20db75b31670df107896188719c339dc003e00c2 Mon Sep 17 00:00:00 2001
From: bedefaced <thisisnewlife@mail.ru>
Date: Fri, 21 Apr 2017 00:50:46 +0300
Subject: [PATCH] iptables rules comments

---
 ipsec/iptables-setup.sh   | 42 ++++++++++++++++++++-------------------
 openvpn/iptables-setup.sh | 30 +++++++++++++++-------------
 pptp/iptables-setup.sh    | 26 +++++++++++++-----------
 3 files changed, 52 insertions(+), 46 deletions(-)

diff --git a/ipsec/iptables-setup.sh b/ipsec/iptables-setup.sh
index 6b6ac89..ddf3883 100755
--- a/ipsec/iptables-setup.sh
+++ b/ipsec/iptables-setup.sh
@@ -3,6 +3,8 @@
 DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
 source $DIR/env.sh
 
+COMMENT=" -m comment --comment \"IPSEC\""
+
 if [[ ! -e $IPTABLES ]]; then
 	touch $IPTABLES
 fi
@@ -38,11 +40,11 @@ read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP
 if [ "$STATIC" == "$ANSIP" ]; then
     # SNAT
     sed -i -e "s@PUBLICIP@$IP@g" $IPSECCONFIG
-    iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP
+    eval iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP $COMMENT
 else
     # MASQUERADE
     sed -i -e "s@PUBLICIP@%$GATE@g" $IPSECCONFIG
-    iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE
+    eval iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE $COMMENT
 fi
 
 DROP="yes"
@@ -51,37 +53,37 @@ read -p "Would you want to disable client-to-client routing? [yes] " ANSDROP
 
 if [ "$DROP" == "$ANSDROP" ]; then
     # disable forwarding
-    iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
+    eval iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT
 else
     echo "Deleting DROP rule if exists..."
-    iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
+    eval iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT
 fi
 
 # Enable forwarding
-iptables -A FORWARD -j ACCEPT
+eval iptables -A FORWARD -j ACCEPT $COMMENT
 
 # MSS Clamping
-iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu
+eval iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu $COMMENT
 
 # PPP
-iptables -A INPUT -i ppp+ -j ACCEPT
-iptables -A OUTPUT -o ppp+ -j ACCEPT
+eval iptables -A INPUT -i ppp+ -j ACCEPT $COMMENT
+eval iptables -A OUTPUT -o ppp+ -j ACCEPT $COMMENT
 
 # XL2TPD
-iptables -A INPUT -p tcp -m tcp --dport 1701 -j ACCEPT
-iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-iptables -A OUTPUT -p tcp -m tcp --sport 1701 -j ACCEPT
-iptables -A OUTPUT -p udp -m udp --sport 1701 -j ACCEPT
+eval iptables -A INPUT -p tcp -m tcp --dport 1701 -j ACCEPT $COMMENT
+eval iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT $COMMENT
+eval iptables -A OUTPUT -p tcp -m tcp --sport 1701 -j ACCEPT $COMMENT
+eval iptables -A OUTPUT -p udp -m udp --sport 1701 -j ACCEPT $COMMENT
 
 # IPSEC
-iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
-iptables -A OUTPUT -p udp -m udp --sport 500 -j ACCEPT
-iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-iptables -A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT
-iptables -A INPUT -p esp -j ACCEPT
-iptables -A OUTPUT -p esp -j ACCEPT
-iptables -A INPUT -p ah -j ACCEPT
-iptables -A OUTPUT -p ah -j ACCEPT
+eval iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT $COMMENT
+eval iptables -A OUTPUT -p udp -m udp --sport 500 -j ACCEPT $COMMENT
+eval iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT $COMMENT
+eval iptables -A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT $COMMENT
+eval iptables -A INPUT -p esp -j ACCEPT $COMMENT
+eval iptables -A OUTPUT -p esp -j ACCEPT $COMMENT
+eval iptables -A INPUT -p ah -j ACCEPT $COMMENT
+eval iptables -A OUTPUT -p ah -j ACCEPT $COMMENT
 
 
 iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES
diff --git a/openvpn/iptables-setup.sh b/openvpn/iptables-setup.sh
index 51bde5d..5107462 100755
--- a/openvpn/iptables-setup.sh
+++ b/openvpn/iptables-setup.sh
@@ -3,6 +3,8 @@
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 source $DIR/env.sh
 
+COMMENT=" -m comment --comment \"OPENVPN\""
+
 if [[ ! -e $IPTABLES ]]; then
 	touch $IPTABLES
 fi
@@ -38,11 +40,11 @@ read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP
 if [ "$STATIC" == "$ANSIP" ]; then
     # SNAT
     sed -i -e "s@PUBLICIP@$IP@g" $OPENVPNCONFIG
-    iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP
+    eval iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP $COMMENT
 else
     # MASQUERADE
     sed -i -e "/PUBLICIP/d" $OPENVPNCONFIG
-    iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE
+    eval iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE $COMMENT
 fi
 
 DROP="yes"
@@ -52,29 +54,29 @@ read -p "Would you want to disable client-to-client routing? [yes] " ANSDROP
 if [ "$DROP" == "$ANSDROP" ]; then
     # disable forwarding
     sed -i -e "/client-to-client/d" $OPENVPNCONFIG
-    iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
-    iptables -A FORWARD -i tun+ -o tun+ -j DROP
-    iptables -A FORWARD -i tap+ -o tap+ -j DROP
+    eval iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT
+    eval iptables -A FORWARD -i tun+ -o tun+ -j DROP $COMMENT
+    eval iptables -A FORWARD -i tap+ -o tap+ -j DROP $COMMENT
 else
     echo "Deleting DROP rules if exists..."
-    iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
-    iptables -D FORWARD -i tap+ -o tap+ -j DROP
-    iptables -D FORWARD -i tun+ -o tun+ -j DROP
+    eval iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT
+    eval iptables -D FORWARD -i tap+ -o tap+ -j DROP $COMMENT
+    eval iptables -D FORWARD -i tun+ -o tun+ -j DROP $COMMENT
 fi
 
 # Enable forwarding
-iptables -A FORWARD -j ACCEPT
+eval iptables -A FORWARD -j ACCEPT $COMMENT
 
 # MSS Clamping
-iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu
+eval iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu $COMMENT
 
 # TUN/TAP
-iptables -A INPUT -i tun+ -j ACCEPT
-iptables -A OUTPUT -o tun+ -j ACCEPT
+eval iptables -A INPUT -i tun+ -j ACCEPT $COMMENT
+eval iptables -A OUTPUT -o tun+ -j ACCEPT $COMMENT
 
 # OpenVPN
-iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-iptables -A OUTPUT -p udp -m udp --sport 1194 -j ACCEPT
+eval iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT $COMMENT
+eval iptables -A OUTPUT -p udp -m udp --sport 1194 -j ACCEPT $COMMENT
 
 iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES
 iptables -F
diff --git a/pptp/iptables-setup.sh b/pptp/iptables-setup.sh
index c4a7722..bd0982f 100755
--- a/pptp/iptables-setup.sh
+++ b/pptp/iptables-setup.sh
@@ -3,6 +3,8 @@
 DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
 source $DIR/env.sh
 
+COMMENT=" -m comment --comment \"PPTP\""
+
 if [[ ! -e $IPTABLES ]]; then
 	touch $IPTABLES
 fi
@@ -37,10 +39,10 @@ read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP
 
 if [ "$STATIC" == "$ANSIP" ]; then
     # SNAT
-    iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP
+    eval iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP $COMMENT
 else
     # MASQUERADE
-    iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE
+    eval iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE $COMMENT
 fi
 
 DROP="yes"
@@ -49,29 +51,29 @@ read -p "Would you want to disable client-to-client routing? [yes] " ANSDROP
 
 if [ "$DROP" == "$ANSDROP" ]; then
     # disable forwarding
-    iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
+    eval iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT
 else
     echo "Deleting DROP rule if exists..."
-    iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
+    eval iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT
 fi
 
 # Enable forwarding
-iptables -A FORWARD -j ACCEPT
+eval iptables -A FORWARD -j ACCEPT $COMMENT
 
 # MSS Clamping
-iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+eval iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $COMMENT
 
 # PPP
-iptables -A INPUT -i ppp+ -j ACCEPT
-iptables -A OUTPUT -o ppp+ -j ACCEPT
+eval iptables -A INPUT -i ppp+ -j ACCEPT $COMMENT
+eval iptables -A OUTPUT -o ppp+ -j ACCEPT $COMMENT
 
 # PPTP
-iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-iptables -A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT
+eval iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT $COMMENT
+eval iptables -A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT $COMMENT
 
 # GRE
-iptables -A INPUT -p gre -j ACCEPT
-iptables -A OUTPUT -p gre -j ACCEPT
+eval iptables -A INPUT -p gre -j ACCEPT $COMMENT
+eval iptables -A OUTPUT -p gre -j ACCEPT $COMMENT
 
 iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES
 iptables -F