>>62212178
more or less what I use
#PRECONFIGURE, flush and create logging table
iptables -F
iptables -N LOGGING
#INPUT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t filter -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -t filter -A INPUT -i lo -j ACCEPT
#drop a bunch of broadcast/udp trash from winbabs on my subnet
iptables -t filter -A INPUT -p udp -m multiport --ports 27036 -j DROP
iptables -t filter -A OUTPUT -p udp -d your.net.here.255 -j DROP
iptables -t filter -A OUTPUT -p udp -d 255.255.255.255 -j DROP
#LOGGING
iptables -t filter -A INPUT -j LOGGING
#drop some stuff that through experience has high volumes and would spam up logfile
#ditch the rules if you do not have others on your subnet so to log it I guess
#local peer discovery
iptables -t filter -A LOGGING -p udp -s your.net.here.0/24 -d 239.192.152.143 -j DROP
#broadcast
iptables -t filter -A LOGGING -p udp -s your.net.here.0/24 -d your.net.here.255 -j DROP
#broadcast
iptables -t filter -A LOGGING -p udp -s your.net.here.0/24 -d 255.255.255.255 -j DROP
#multicast
iptables -t filter -A LOGGING -s your.net.here.0/24 -d 224.0.0.0/24 -j DROP
#rate limiting
#iptables -t filter -A LOGGING -m limit --limit 20/min --limit-burst 10 -j LOG --log-prefix "IPD: " --log-level 4
#label it in /var/log/messages
iptables -t filter -A LOGGING -j LOG --log-prefix "IPD: " --log-level 4
#drop logged stuff, I guess you could set up more intricate rules to also log accepted things
iptables -t filter -A LOGGING -j DROP
#CLEANUP, print and save etc
iptables -L -v
/etc/init.d/iptables save
/etc/init.d/iptables restart