Beskrivelse af Iptabels !!!

Hej...

Ønsker en beskrivelese af de forskellige linje i mit script !!!

#!/bin/sh

# DMZ

WAN_IP=192.168.1.145              #    IP
WAN_NET=192.168.1.0/24            #    Netvaerk
WAN_NIC='eth0'                    #    Enhedsnavn

# LAN
               
LAN_IP=172.17.0.1                #    IP
LAN_NET=172.17.0.0/16            #    Netvaerk
LAN_NIC='eth1'                    #    Enhedsnavn
LAN_EXCHANGE=172.17.0.2          #    IP paa Intern Exchange Server

# DMZ

DMZ_IP=192.168.10.1              #    IP
DMZ_NET=192.168.10.0/24          #    Netvaerk
DMZ_NIC='eth2'                    #    Enhedsnavn
DMZ_WEB=192.168.10.2              #    IP paa WEB Server
DMZ_FTP=192.168.10.2              #    IP paa FTP Server
DMZ_MAIL=192.168.10.2            #    IP paa Mail


echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -F
iptables -t nat -F
iptables -N stat

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s $DMZ_MAIL -j ACCEPT
#iptables -A FORWARD -j ACCEPT
#iptables -A OUTPUT -j ACCEPT

#    SSH ADGANG

iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT

#    ACCEPTERE ICMP

iptables -A INPUT -p icmp -s 192.168.1.0/24 -j ACCEPT

#    STATEFULL

iptables -A stat -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A stat -m state --state NEW -i eth1 -j ACCEPT
iptables -A INPUT -j stat
iptables -A FORWARD -j stat

# NAT

iptables -t nat -A POSTROUTING -s 172.17.0.0/16 -d 192.168.10.0/24 -j SNAT --to $LAN_IP
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 -d "!" 172.17.0.0/16 -j SNAT --to $WAN_IP
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d "!" 192.168.10.0/24 -j SNAT --to $WAN_IP
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d 172.17.0.0/16 -j SNAT --to $LAN_IP

#  DMZ WEB-SERVER

iptables -A FORWARD -j ACCEPT -p tcp --dport 80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to $DMZ_WEB:80

#  DMZ FTP-SERVER

iptables -A FORWARD -j ACCEPT -p tcp --dport 21
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to $DMZ_FTP:21

#  DMZ MAIL-SERVER

iptables -A FORWARD -j ACCEPT -p tcp --dport 25
iptables -t nat -A PREROUTING -s $WAN_NET -p tcp --dport 25 -j DNAT --to $DMZ_MAIL:25
iptables -A FORWARD -j ACCEPT -p udp --dport 25
iptables -t nat -A PREROUTING -s $WAN_NET -p udp --dport 25 -j DNAT --to $DMZ_MAIL:25

#  MAIL FRA DMZ TIL LAN

iptables -t nat -A PREROUTING -s $DMZ_MAIL -p tcp --dport 25 -j DNAT --to $LAN_EXCHANGE:25
iptables -t nat -A PREROUTING -s $DMZ_MAIL -p udp --dport 25 -j DNAT --to $LAN_EXCHANGE:25

#  SQUID PROXY

iptables -t nat -A PREROUTING -p tcp -s 172.17.0.0/16 --dport 80 -j REDIRECT --to-port 3128