By default, I drop all inbound packets, reject all outbound packets, and reject all connections to the box from the internal network except on port 22 for administration purposes.
Then I selectively open outbound ports as I need them (e.g., 80, 110, 6667, etc....). The only drawback is that this kills FTP, since the initial conenction is extablished on port 21 and then moved to a random unprivileged port. I posted a thread about this recently, but I'm too lazy to search for it right now. :D
I'm not at home now and can't get to my script, but I will post some examples from my script in a couple of days when I get home if anybody is interested. I started with a basic script from http://www.hideaway.net/iptables and them modified it pretty heavily to suit my needs. It's very well commented and easy to follow, and I think that's easier than trying to write one from scratch.
