Yes, with the 2.4.x kernels came iptables to replace ipchains as the defacto packet filtering firewall tool. iptables && netfilter etc. are great! I do recommend a kernel patch like grsecurity/LIDS/OpenWall etc.. to secure the box a little better. *n?x exploits often involve executing code on the stack, so anything you can do to make such a thing hard/difficult/impossible greatly improves your security.

The other thing I would recommend is remove the setXid bit from anything that does not absolutely have to have it. setXid (setuserid and setgroupid) is the real killer on any flavor of *n?x if the system is compromised.

The default Linux install comes with a long list of setXid programs by deafult. I really do recommend auditing these.
A very simple way to find them is to type the following on the command line:
# find / \( -perm -02000 -o -perm -04000 \) -ls > setXid.txt

Then you can open setXid.txt in an editor like vi and see what you don't really need to be setXid.

Also, (while I am in the mood to post ) take a look at `chattr' and `lsattr', read their man pages and get to know them. I use `chattr +i program_name' on anything that could be of use to a hacker if they gain access to my system. This greatly reduces the threat of root-kits and other trojaned programs because the file can not be modified in *any* way. `chattr +a /var/log/logname' is another good one because it puts the log/file in append mode only. The hacker if successful will not be able to modify the logs to erase evidence that s/he was there.
(note: chattr & lsattr are only available on Linux, no Unix flavors have these binaries afaik )

Just a couple of ideas for you.