Esse script abaixo, foi o que consegui com um amigo, sendo assim logo modifiquei ele para minha rede e as portas que eu precisava...
esse scritp abaixo não esta como o meu, mas é praticamente a mesma coisa, quem for usar ele só tem que alterar conforme precisar...!!! Obrigado a todos.
#!/bin/bash
# Script de Firewall
#####################################
### Passo 1: Primeiro vamos arrumar a casa :) ###
#####################################
# Limpando as Regras
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
# Definindo a Politica Default das Cadeias
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
######################################
### Passo 2: Antes de Servir, vamos nos proteger ! ###
######################################
# Desabilitando o trafego IP Entre as Placas de Rede
echo "0" > /proc/sys/net/ipv4/ip_forward
# Configurando a Protecao anti-spoofing
#echo "Setting anti-spoofing .....[ OK ]"
#for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
# echo "1" > $spoofing
#done
#######################################
### Passo 3: Carregando os modulos do iptables ###
#######################################
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_MASQUERADE
echo "regras carregadas .............[ OK ]"
#######################################
### Passo 4: Agora, vamos definir o que pode passar e o que nao ###
#######################################
# Cadeia de Entrada. Esta cadeia, so vale para o proprio host
# Qualquer pacote IP que venha do localhost, Ok.
iptables -A INPUT -i lo -j ACCEPT
# REDE INTERNA LIBERADA
iptables -A INPUT -i eth3 -j ACCEPT
# No iptables, temos de dizer quais sockets sao validos em uma conexao
iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -t nat -A PREROUTING -s 10.1.1.50 -j ACCEPT
# Cadeia de Reenvio (FORWARD)
# Primeiro, ativar o mascaramento (nat).
iptables -t nat -F POSTROUTING
#rede externa
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Agora dizemos quem e o que podem acessar externamete
# No iptables, o controle do acesso a rede externa e feito na cadeia "FORWARD"
iptables -A FORWARD -p tcp --dport 465 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 26 -j ACCEPT
iptables -A FORWARD -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 587 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3456 -j ACCEPT
iptables -A FORWARD -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p udp --dport 5100 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -d 200.223.0.0 -j ACCEPT
iptables -I FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -I FORWARD -p tcp -d 200.223.0.0 -j ACCEPT
#sintegra
#iptables -t nat -I PREROUTING -p tcp -d 200.198.239.21 -j ACCEPT
#iptables -A FORWARD -s 10.1.1.0/24 -p tcp --dport 8017 -j ACCEPT
iptables -A FORWARD -s 10.1.1.0/24 -p tcp --dport 2059 -j ACCEPT
iptables -A FORWARD -s 10.1.1.0/24 -p tcp --dport 3456 -j ACCEPT
iptables -A FORWARD -s 10.1.1.0/24 -p tcp --dport 5100 -j ACCEPT
#terminal server
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 10.1.1.50:3389
#iptables -I FORWARD -p tcp --dport 3389 -j ACCEPT
#SSH
#iptables -t nat -A PREROUTING -i eth4 -p tcp --dport 2122 -j DNAT --to 192.168.0.175:2122
#iptables -I FORWARD -p TCP --dport 2122 -j ACCEPT
#conectividade
#iptables -t nat -A PREROUTING -d 200.198.239.21/24 -p tcp --dport 80 -j RETURN
#iptables -t nat -A PREROUTING -d 200.198.232.62/24 -p tcp --dport 80 -j RETURN
#ms-proxy
#iptables -t nat -A PREROUTING -i eth3 -p tcp --dport 1863 -j REDIRECT --to-port 1863
# Redireciona porta 80 para 3128 (squid)
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
# Acesso ao Conectividade Social e SEFIP (host - cmt.caixa.gov.br):
#iptables -A FORWARD -p tcp -s 10.1.1.0/24 -d 200.201.173.68 -j ACCEPT
#iptables -A FORWARD -p tcp -s 10.1.1.0/24 -d 200.201.166.200 -j ACCEPT
#iptables -A FORWARD -p tcp -s 10.1.1.0/24 -d 200.201.174.204 -j ACCEPT
#iptables -A FORWARD -p tcp -s 10.1.1.0/24 -d 200.201.174.207 -j ACCEPT
#sped fiscal
#iptables -A FORWARD -p tcp -s 10.1.1.0/24 -d 200.198.239.21 -j ACCEPT
# REDE INTERNA LIBERADA
#abnt catalogo
#iptables -t nat -A PREROUTING -i eth1 -p tcp -d !205.237.197.94 --dport 80 -j REDIRECT --to-port 3128
iptables -A FORWARD -i eth1 -j ACCEPT
#iptables -A FORWARD -p tcp -s 10.1.1.0/24 -d 205.237.197.94 -j ACCEPT
# No iptables, temos de dizer quais sockets sao validos em uma conexao
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
########################################
### Finalmente, podemos "Ligar" o foward (clientes) :) ###
########################################
# Habilitando o trafego Ip, entre as Interfaces de rede
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Firewall OK ...............[ OK ]"
Obrigado a todos.