Firewall script not working threatening job

# BAD IPs
echo "Setting up BAD IP chain"
$IPT -N BADIP
for ip in $BADIP; do
	$IPT -A BADIP -s $ip -j LBADIP
	$IPT -A BADIP -d $ip -j LBADIP
done
# Shunned hosts ignored for the moment (none to shun...)
echo "Setting up SHUN list"
$IPT -N SHUN
for ip in $SHUNIP; do
    $IPT -A SHUN -s $ip -j LSHUN
    $IPT -A SHUN -d $ip -j LSHUN
done

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
#!/bin/sh

# Firewall host IP address
IP=65.89.25.119
# MyIP is used to provide a list of hosts who can access the server by SSH.
MYIP=70.32.249.235 65.89.25.100 65.89.25.102
#Host lists for inbound services
SVRMTRX=12.96.160.0/24
SMMON=216.185.123.250
# Add the IP addresses/mask of machines allowed to ping the host
PING=192.168.2.0/24 $MYIP $SVRMTRX 65.89.25.100 65.89.25.102
# Add the networks allowed to make an SSH connection.
SSH=$MYIP $SVRMTRX 65.89.25.100 65.89.25.102
WWW=0.0.0.0/0 
# web servers...
NTP=66.187.233.4 66.187.224.4 
# red hat time server
# Rate limits
SYNOPT=-m limit --limit 5/second --limit-burst 10
LOGOPT=--log-level=3 -m limit --limit 1/second --limit-burst 10
echo Setting up firewall for $IP
# The following assignments should not generally need to be changed
BADIP=0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.34.0/24 224.0.0.0/4 240.0.0.0/5 255.255.255.255
SHUNIP=64.62.194.170 69.93.104.250 205.209.169.220 211.248.38.252
LO=127.0.0.1
SSH=$SSH $LO
WWW=$WWW $LO
IPT=/sbin/iptables
if [ ! -x $IPT ]
then
	echo "firewall: cant execute $IPT"
	exit 1
fi
$IPT -P INPUT DROP	# Set default input policy to DROP
$IPT -P OUTPUT DROP	# Set default output policy to DROP
$IPT -P FORWARD DROP	# Set default policy to DROP
$IPT -F		# Flush all chains
$IPT -X		# Delete all user chains
for table in filter nat mangle
do
	$IPT -t $table -F	# Delete the table's rules
	$IPT -t $table -X	# Delete the table's chains
	$IPT -t $table -Z	# Zero the tables counters
done
#	Logging chain
echo "Setting up logging chain"
$IPT	-N LDROP	# new user chain called LDROP
$IPT 	-A LDROP -p tcp --dport 137:139 -j DROP  	# unwanted MS stuff
$IPT 	-A LDROP -p udp --dport 137:139 -j DROP	
$IPT	-A LDROP -p udp --sport 3333 --dport 3334 -j DROP # more MS stuff
$IPT	-A LDROP -j LOG	--log-prefix "$IPT Drop: " $LOGOPT
$IPT	-A LDROP -j DROP
$IPT -N LBADIP
$IPT -A LBADIP -p tcp --dport 137:139 -j DROP
$IPT -A LBADIP -p udp --dport 137:139 -j DROP
$IPT -A LBADIP -j LOG --log-prefix "$IPT BAD:  " $LOGOPT
$IPT -A LBADIP -j DROP
# SHUN 
$IPT -N LSHUN
$IPT -A LSHUN -j LOG --log-prefix "IPT Shun: " $LOGOPT
$IPT -A LSHUN -j DROP
$IPT -N LFLOOD
$IPT -A LFLOOD -j LOG --log-prefix "$IPT Flood:  " $LOGOPT
$IPT -A LFLOOD -j DROP
$IPT -N LFLAGS
$IPT -A LFLAGS -j LOG --log-prefix "$IPT Flags:  " $LOGOPT
$IPT -A LFLAGS -j DROP
# BAD IPs
echo "Setting up BAD IP chain"
$IPT -N BADIP
for ip in $BADIP; do
	$IPT -A BADIP -s $ip -j LBADIP
	$IPT -A BADIP -d $ip -j LBADIP
done
# Shunned hosts ignored for the moment (none to shun...)
echo "Setting up SHUN list"
$IPT -N SHUN
for ip in $SHUNIP; do
    $IPT -A SHUN -s $ip -j LSHUN
    $IPT -A SHUN -d $ip -j LSHUN
done
# SYN Flood protection
echo "Setting up flood chain"
$IPT -N FLOOD
# following rule accepting datagram fires at limited rate.
$IPT -A FLOOD $SYNOPT -j RETURN
$IPT -A FLOOD 	      -j LFLOOD
# TCP Flag validation
echo "Setting flag validation"
$IPT -N FLAGS
$IPT -A FLAGS -p tcp --tcp-flags ACK,FIN FIN			-j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ACK,PSH PSH			-j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ACK,URG URG			-j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags FIN,RST FIN,RST		-j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN		-j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags SYN,RST SYN,RST		-j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL ALL			-j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL NONE			-j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL FIN,PSH,URG		-j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL SYN,FIN,PSH,URG		-j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL SYN,FIN,PSH,URG		-j LFLAGS
$IPT -A FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG	-j LFLAGS
# Remaining Flag combinations are considered valid
# Input TCP/UDP datagrams
$IPT -N IN
$IPT -A IN -m state --state INVALID -j LDROP
$IPT -A IN -p tcp --syn -j FLOOD
$IPT -A IN -p tcp 	-j FLAGS
$IPT -A IN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow servermatrix access
$IPT -A IN -p all -s $SVRMTRX -j ACCEPT
$IPT -A IN -s $IP -j LDROP
# Accept new inbound connections
# use the SSH list to limit critical connections to secure hosts.
echo "Now setting up SSH input"
for sip in $SSH; do
# SSH
	$IPT -A IN -p tcp -s $sip --dport 22 -m state --state NEW -j ACCEPT
# MySQL
	$IPT -A IN -p tcp -s $sip --dport 3306 -m state --state NEW -j ACCEPT
# pop3 (??)
	$IPT -A IN -p tcp -s $sip --dport 110 -m state --state NEW -j ACCEPT
	$IPT -A IN -p tcp -s $sip --dport 993 -m state --state NEW -j ACCEPT
done
#from release 092 accept connections from anywhere for ssh - from 095 don't do this anymore...
#$IPT -A IN -p tcp --dport 22 -m state --state NEW -j ACCEPT
for sip in $WWW; do
	$IPT -A IN -p tcp -s $sip --dport 80 -m state --state NEW -j ACCEPT
	$IPT -A IN -p tcp -s $sip --dport 443 -m state --state NEW -j ACCEPT
	$IPT -A IN -p tcp -s $sip --dport 8081 -m state --state NEW -j ACCEPT
done
# Reject AUTH requests
$IPT -A IN -p tcp --dport 113 -j REJECT --reject-with tcp-reset
# Additional rules accepting authorized traffic here
for sip in $NTP; do
# accept NTP connections
    $IPT -A IN -p udp --dport 123 -s $sip -j ACCEPT
done
# accept SMTP connections
$IPT -A IN -p tcp --dport 25 -j ACCEPT
# accept IMAP connections
$IPT -A IN -p tcp --dport 143 -j ACCEPT
# accept POP3 connection
# Traffic not explicitly accepted will be logged and dropped
# Output TCP/UDP datagrams
$IPT -N OUT
$IPT -A OUT -p tcp -j FLAGS
#$IPT -A OUT -s ! $IP -j LDROP
$IPT -A OUT -s ! 65.89.25.119 -j LDROP # modified to allow access from the other IPs available
$IPT -A OUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# This firewall is configured to block outbound connections by default
# To allow any output not explicitly blocked, uncomment the following
#$IPT -A OUT -m state --state NEW	-j ACCEPT
# Accept new outbound connections
$IPT -A OUT -m state --state NEW -p tcp --dport 21 -j ACCEPT # ftp
$IPT -A OUT -m state --state NEW -p tcp --dport 22 -j ACCEPT # ssh
$IPT -A OUT -m state --state NEW -p tcp --dport 25 -j ACCEPT # smtp
$IPT -A OUT -m state --state NEW -p tcp --dport 43 -j ACCEPT # whois
$IPT -A OUT -m state --state NEW -p tcp --dport 53 -j ACCEPT # domain
$IPT -A OUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # http
$IPT -A OUT -m state --state NEW -p tcp --dport 143 -j ACCEPT # imap
$IPT -A OUT -m state --state NEW -p tcp --dport 443 -j ACCEPT # https
$IPT -A OUT -m state --state NEW -p tcp --dport 8081 -j ACCEPT # 0.94 added for the ts_admin site
$IPT -A OUT -m state --state NEW -p tcp --dport 873 -j ACCEPT # rsync
$IPT -A OUT -p tcp --dport 5510 -d $SMMON # servermatrix monitor
$IPT -A OUT -m state --state NEW -p udp --dport 53 -j ACCEPT # domain
for dip in $NTP; do
    $IPT -A OUT -p udp --dport 123 -d $dip -j ACCEPT # NTP out to server
done
$IPT -A OUT -p tcp --sport 80  -j ACCEPT # HTTP output
# Only allow 3306 out to SSH list
for sip in $SSH; do
# actually MySQL
    $IPT -A OUT -p tcp --sport 3306 -d $sip -j ACCEPT
done
# Add aditional rule accepting authorized traffic here
$IPT -A OUT -p all -d $SVRMTRX -j ACCEPT # allow all traffic out to servermatrix
# Traffic not explicitly accepted will be logged and dropped
# Inbound ICMP Messages
$IPT -N IN_ICMP
for sip in $PING; do
 $IPT  -A IN_ICMP -p icmp --icmp-type echo-request -s $sip -d $IP -j ACCEPT
 $IPT  -A IN_ICMP -p icmp --icmp-type echo-reply -s $sip -d $IP -j ACCEPT
 echo "Allowing PING from $sip to $IP"
done
$IPT -A IN_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type source-quench -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
# Outbound ICMP messages
$IPT -N OUT_ICMP
for dip in $PING; do
 $IPT -A OUT_ICMP -p icmp --icmp-type echo-reply -d $dip 	-j ACCEPT
 $IPT -A OUT_ICMP -p icmp --icmp-type echo-request -d $dip 	-j ACCEPT
done
$IPT -A OUT_ICMP -p icmp --icmp-type destination-unreachable 	-j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type fragmentation-needed 	-j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type source-quench		-j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type parameter-problem		-j ACCEPT
# Rules for built-in chains
$IPT -A INPUT -i lo		-j ACCEPT
$IPT -A INPUT			-j BADIP
#$IPT -A INPUT			-j SHUN
$IPT -A INPUT -p ! icmp		-j IN
$IPT -A INPUT -p icmp		-j IN_ICMP
$IPT -A INPUT			-j LDROP
$IPT -A OUTPUT -o lo		-j ACCEPT
$IPT -A OUTPUT			-j BADIP
#$IPT -A OUTPUT			-j SHUN
$IPT -A OUTPUT -p ! icmp	-j OUT
$IPT -A OUTPUT -p icmp		-j OUT_ICMP
$IPT -A OUTPUT 			-j LDROP
# End of firewall spec.