Techniques to implement iptables rules
There are many schools of thought when it comes to system level firewalling.
One conservative approach that is often seen is to use connection tracking to match and explicitly accept incoming RELATED or ESTABLISHED traffic. All other incoming traffic is dropped by default. Explicit rules are added as necessary for various services to accept unmatched incoming traffic.
Outgoing traffic is not filtered in most scenarios.
Example:
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m conntrack --ctstate INVALID -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
The above iptables-save snippet shows a setup that drops inbound and forwarding packets by default and accepts outgoing packets by default. Inbound traffic from localhost is explicitly accepted, as are RELATED and ESTABLISHED packets (e.g. responses to an http request), and all traffic to port 22 (SSH).