Meaning of log entries from an iptables configuration
iptables -t nat -A PREROUTING -i ppp33 -p tcp --dport 44447 -j DNAT --to 192.168.1.101
This means that your interface ppp33 has Network Address Translation (NAT) setup for all requests to the destination of 192.168.1.101:44447.
iptables -I FORWARD 1 -i ppp33 -p tcp -d 192.168.1.101 --dport 44447 -j ACCEPT
This rule complements the previous rule by ensuring that the request is forwarded to the 192.168.1.101 host.
iptables -A INPUT -i ppp33 -p tcp --syn -m limit --limit 6/h -j LOG --log-level 1 --log-prefix="Intrusion -> "
This rule states that when it sees SYN flags only in a TCP packet, it will log "Intrusion" upto 6 times per hour (thanks Gilles for the call out). This is commonly done to help an administrator discover Stealth network scans. This is for all tcp inbound to the host.
iptables -A FORWARD -i ppp33 -p tcp --syn -m limit --limit 6/h -j LOG --log-level 1 --log-prefix="Intrusion -> "
This is the same as the above, but for all TCP packets intended to other hosts that sit behind this hosts NAT that it may be doing some translation for.
iptables -A INPUT -i ppp33 -j DROP
This is a rule that is all encompassing. Should you see any other traffic that is intended for this host AND doesn't meet the above rules, DROP the connection.
iptables -A FORWARD -i ppp33 -j DROP
Same as the previous rule, but DROP connections for anything that may be forwarded onto another machine that this machine can forward to.
iptables -t nat -A PREROUTING -i ppp33 -p tcp --dport 44447 -j DNAT --to 192.168.1.101
TCP packets sent to the PPP interface (i.e. from the Internet side) on port 44447 are resent to the IP address 192.168.1.101, which is in the private network range. The router is performing NAT, specifically DNAT. This means that external hosts can reach your 192.168.1.101 on port 44447 by contacting your router.
iptables -A INPUT -i ppp33 -p tcp --syn -m limit --limit 6/h -j LOG --log-level 1 --log-prefix="Intrusion -> "
This line logs TCP SYN packets (packets that (attempt to) initiate a connection), coming in from the Internet. All such packets are logged except the ones that are redirected earlier by the PREROUTING rule. However, there is a rate limit for logging: no more than 6 such packets are logged in a 1-hour window, subsequent ones are ignored.
iptables -A INPUT -i ppp33 -j DROP
Any other incoming packet is silently dropped.
Logging these connection attempts is pretty boring. Any machine connected to the Internet gets scanned often, by various bots looking for potential vulnerabilities. You should block incoming connections except to vetted ports. You are highly unlikely to get any value from the logs of blocked connection attempts.