Wrapping your mind arount iptables.
Basic firewall configuration
Accepting or dropping everything
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
Accepting established connections
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Accepting specific inputs
Accepting traffic on loopback:
iptables -I INPUT -i lo -j ACCEPT
Accepting ping traffic:
iptables -A INPUT -p icmp -m limit --limit 2/sec -j ACCEPT
Accepting DNS requests
iptables -A INPUT -d $DNS_IP -p udp -m udp --dport 53 -j ACCEPT
Accepting messages getting out of your subnet
iptables -A FORWARD -i $LAN_iface -o $WAN_iface -s $LAN_subnet -j ACCEPT
iptables -A FORWARD -i $LAN_iface -o $WAN_iface -j DROP
Logging drops
iptables -A INPUT -m limit --limit 30/min -j LOG --log-prefix "iptables INPUT denied: " --log-level 7