now i got it
anyway im posting my firewall
####### Pre Configure Iptables #########
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
###### Blocked logging chain
#$IPTABLES -N block
#$IPTABLES -F block
#$IPTABLES -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A block -m state --state NEW -i ! eth0 -j ACCEPT
#$IPTABLES -A block -j LOG --log-level 6 --log-prefix "DROP UNTRUSTED NETWORKS "
#$IPTABLES -A block -j DROP
####### Configure IPROUTE2 Rules #######
####### IPTABLES Rules #################
############ INPUT
$IPTABLES -A INPUT -p tcp -j LOG --log-level debug
$IPTABLES -A INPUT -i $EXTIF -p icmp -m icmp --icmp-type redirect -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p icmp -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --destination-port 22,21,20,587,110,6666,6667,6668,6669 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
############ FORWARD
# Syn-flood
$IPTABLES -A FORWARD -p tcp -j LOG --log-level debug
$IPTABLES -A FORWARD -p tcp -i $INTIF -o $EXTIF -m multiport --destination-port 22,21,20,25,53,443,587,110,5190,1863,5000,5050,80,3128 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INTIF -o $EXTIF -m multiport --destination-port 6666,6667,6668,6669 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Ports Scans
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Ping Death
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $INTIF -o $EXTIF -j ACCEPT
# NetBs Drop
$IPTABLES -A FORWARD -p tcp --dport 135:139 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 445 -j DROP
############ OUTPUT
############ PREROUTING ## -j DNAT --to-destination 192.168.0.1:8080
#$IPTABLES -t nat -A PREROUTING -p tcp -s 10.0.0.0/24 --dport 110 -j DNAT --to-destination 192.168.0.1:4128
$IPTABLES -t nat -A PREROUTING -p tcp -d ! 10.0.0.0/24 -m multiport --dports 80,81,82,83,kerberos,8000,8001,8002 -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -p tcp -d ! 172.17.60.0/24 -m multiport --dports 8083,8091,8100,8101,8102,8103,8888,777 -j REDIRECT --to-ports 3128
#$IPTABLES -t nat -A PREROUTING -p tcp -d ! 192.168.0.0/16 -m multiport --dports 443,1863,5190,5050,5100,5000,5001 -j REDIRECT --to-ports 4128
#$IPTABLES -t nat -A PREROUTING -p tcp -d ! 192.168.0.0/16 -m multiport --dports 443,1863,5190 -j REDIRECT --to-ports 4128
#$IPTABLES -t nat -A PREROUTING -p tcp -d ! 192.168.0.0/16 -m multiport --dports 443,1863,5190,5050,5100,5000,5001 -j DNAT --to-destination 127.0.0.1:4128
# POSTROUTING
#$IPTABLES -t nat -A POSTROUTING -j MASQUERADE -s 192.168.0.0/16 -d ! 192.168.0.0/16
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 10.0.0.10/24 -j SNAT --to-source `get_addr $EXTIF`
echo " firewall started "