My basic IPTables configuration.

iptables.rules.sh

#!/bin/bash

# Get interface information
$LANIF="eth1"
$LANIP=$(ifconfig | awk "/$LANIF/,/inet addr/" | grep -oP "inet addr:[0-9\.]+" | cut -d':' -f2)
$EXTIF="eth0"
$EXTIF=$(ifconfig | awk "/$EXTIF/,/inet addr/" | grep -oP "inet addr:[0-9\.]+" | cut -d':' -f2)

# Clear all existing IPTables rules
echo " * Clearing old rules"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

echo " * Setting up chains"
# Setup the LOGDROP chain
iptables -N LOGDROP
iptables -A LOGDROP -m limit --limit 1/sec -j LOG --log-prefix "Dropped Packet: " --log-level 7
iptables -A LOGDROP -j DROP

# Set up the Asterisk traffic shaping chain
iptables -N ASTERISK
iptables -A ASTERISK -m string --string "REGISTER sip:" --algo bm -m recent --set --name AST -rsource
iptables -A ASTERISK -m string --string "REGISTER sip:" --algo bm -m recent --update --seconds 60 --hitcount 12 --rttl --name AST --rsource -j DROP
iptables -A ASTERISK -m string --string "INVITE sip:" --algo bm -m recent --set --name ASTINV --rsource
iptables -A ASTERISK -m string --string "INVITE sip:" --algo bm -m recent --update --seconds 60 --hitcount 12 --rttl --name ASTINV --rsource -j DROP
iptables -A ASTERISK -m hashlimit --hashlimit 6/sec --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -j ACCEPT
iptables -A ASTERISK -j DROP

echo " * Setting up rules"
# Check for malformed packets
iptables -A INPUT -i $EXTIF -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -i $EXTIF -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -i $EXTIF -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i $EXTIF -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -i $EXTIF -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -i $EXTIF -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP

# Rate limit incoming Asterisk traffic. This has to come before RELATED traffic
iptables -A INPUT -p udp -m udp --dport 5060 -j ASTERISK
iptables -A INPUT -p tcp -m tcp --dport 5060 -j ASTERISK
iptables -A INPUT -p udp -m udp --dport 5061 -j ASTERISK
iptables -A INPUT -p tcp -m tcp --dport 5061 -j ASTERISK

# Allow existing traffic
iptables -A INPUT -i $EXTIF -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# Allow all loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow LAN traffic
iptables -A INPUT -i $INTIF -j ACCEPT
iptables -A OUTPUT -o $INTIF -j ACCEPT

#
# Everything from hereonin is traffic from the external interface!
#

# Allow all traffic from known origins
iptables -A INPUT -s 96.45.196.192/27 -j ACCEPT # Shore
iptables -A INPUT -s 96.45.196.192/27 -j ACCEPT

# Rate limit NEW SSH traffic
iptables -A INPUT -p tcp --dport 731 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 731 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -p tcp --dport 731 -m state --state NEW -j ACCEPT