Iptables décryptage script

Bonjour,

J'ai récupéré un script iptables que j'ai retouché un peu. Mais il reste des zones d'ombres repérés par :

################################# ??????? ######################################

Je mets le script en entier, bien que long car je pense qu'il peut aider des gens.

#!/bin/sh

echo "Setting up IPtables rules"

IPTABLES=/u/system/bin/iptables # where iptables binary lies

# Setting up Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting up IP spoofing protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi

# Rules objects
#firewall_adsl="10.0.0.1" # My Firewall external IP
#dslam="10.0.0.138" # IP of my ADSL Modem

localhost="127.0.0.1" # no comments
firewall_intranet="192.168.0.254" # my LAN gateway. My LAN uses IANA private network (RFC1918)
intranet="192.168.0.0/24" # My subnet & bits.
any="0.0.0.0/0" # Internet

# Devices
dev_intra="eth1" # device for Intranet
dev_inter="eth0" # device for ADSL

# High ports
hports="1024:"

KEEPSTATE=" -m state --state ESTABLISHED,RELATED"

################################ INITIALISE VARIABLES ###############################

# Flush all
$IPTABLES -F
$IPTABLES -X

# Deny all by default
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

######################################################################################

# ADSL Tunnel rules
# $IPTABLES -A INPUT -j ACCEPT -i $dev_inter -s $dslam -d $firewall_adsl
# $IPTABLES -A OUTPUT -j ACCEPT -o $dev_inter -d $dslam -s $firewall_adsl

# accept anything on localhost device
$IPTABLES -A INPUT -j ACCEPT -p ALL -i lo
$IPTABLES -A OUTPUT -j ACCEPT -p ALL -o lo

#######################################################################################

# accept anything IntraNet if from IntraNet device

$IPTABLES -A INPUT -j ACCEPT -p ALL -i $dev_intra
$IPTABLES -A OUTPUT -j ACCEPT -p ALL -o $dev_intra

###################### Redirection transparente des requètes web ###################

# Redirectly transparently to Squid WWW requests (you have to setup a
# proxy (Squid for example) listeting on this IP & port)
# $IPTABLES -t nat -A PREROUTING -i $dev_intra -p TCP -j DNAT \
# --dport 80 --to-destination $firewall_intranet:8080

########################## Activate Forwarding ###################################

# Activate Forwarding
$IPTABLES -A FORWARD -j ACCEPT -i $dev_intra -o ppp0 -s $intranet
$IPTABLES -A FORWARD -j ACCEPT -o $dev_intra -i ppp0 -s $any

########################################################################################

# and masquerade IntraNet to Internet with Firewall Internet IP.
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

######### activate established mode on all protocols (statefull inspection) ###########

# TCP PROTOCOL
$IPTABLES -A OUTPUT -j ACCEPT -o ppp0 -p TCP $KEEPSTATE
$IPTABLES -A INPUT -j ACCEPT -i ppp0 -p TCP $KEEPSTATE

# UDP PROTOCOL
$IPTABLES -A OUTPUT -j ACCEPT -o ppp0 -p UDP $KEEPSTATE
$IPTABLES -A INPUT -j ACCEPT -i ppp0 -p UDP $KEEPSTATE

# ICMP PROTOCOL
$IPTABLES -A OUTPUT -j ACCEPT -o ppp0 -p ICMP $KEEPSTATE
$IPTABLES -A INPUT -j ACCEPT -i ppp0 -p ICMP $KEEPSTATE

############################## ?????? #####################################

# Accept ports back from ppp, if flow return, all protocols
$IPTABLES -A OUTPUT -j ACCEPT -p ALL -o ppp0

######################### to provide FTP server to Internet ###########################

# Special for service providers
# If you want to provide FTP server to Internet
$IPTABLES -A INPUT -j ACCEPT -p TCP -i ppp0 --sport $hports --dport 20
$IPTABLES -A INPUT -j ACCEPT -p TCP -i ppp0 --sport $hports --dport 21

# or a HTTP server
$IPTABLES -A INPUT -j ACCEPT -p TCP -i ppp0 --sport $hports --dport 80

################################# ??????? ######################################

# Drop broadcasts pollution (not logged)
$IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -s 10.0.0.255
$IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -d 10.0.0.255
$IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -s 10.0.0.255
$IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -d 10.0.0.255
$IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -s 0.0.0.0
$IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -d 0.0.0.0
$IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -s 0.0.0.0
$IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -d 0.0.0.0
$IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -s 255.255.255.255
$IPTABLES -A INPUT -i $dev_inter -p ALL -j DROP -d 255.255.255.255
$IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -s 255.255.255.255
$IPTABLES -A OUTPUT -o $dev_inter -p ALL -j DROP -d 255.255.255.255

################################# ?????? ###########################################

# Reject and log others. Log into log level emergency, with line prefixes with 'FW'.
$IPTABLES -N log_and_drop
$IPTABLES -A INPUT -j log_and_drop
$IPTABLES -A INPUT -j LOG --log-level emerg --log-prefix='FW '
$IPTABLES -A INPUT -j REJECT

Il y a donc 3 sections que je ne comprends pas.
Si vous pouvez me les expliquer, ça serait vraiment super génial. Hésitez pas à être technique j'ai mon bescherel (je sais même pas l'écrire)

Merci d'avance.

otip