Either I've found a bug, or something else isn't working correctly. This is on CentOS 5.11.

Normally, I will add a rule to the INPUT chain like:

iptables -I INPUT 1 111.222.333.0/24 -j DROP

This is easily deleted with the reverse:

iptables -D INPUT 111.222.333.0/24 -j DROP

recently, I began adding comments to various rules, so I can track them.

iptables -I INPUT 1 -s 204.92.31.0/255.255.255.0 -m comment --comment "012815 SPAM ABUSE " -j DROP

but if I attempt to delete the rule based on the above syntax, it fails. From a basic parsing perspective, I would think that this should just work -- or this is a bug. I don't think it would be realistic for someone to have to type out the entire comment in order for the rule to be matched for:

iptables -D INPUT 204.92.31.0/24 -j DROP

but this fails.

Could someone explain what's going on here?


Thanks.

Read man page of iptables for deleting rules

you can delete your rule

iptables -D INPUT -s 204.92.31.0/255.255.255.0 -m comment --comment "012815 SPAM ABUSE " -j DROP //without line number
or
iptables -D INPUT 1 //detele rule using line number

this is how it works