Even if you run a mostly closed IPTables firewall where you drop everything by default, the following are still worth adding as they will stop connections that would otherwise have made it through.
Rate Limiting
This is useful in stopping brute force attacks on well know ports. Can also be useful in cutting down massive connection attacks.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl --name SSH -j DROP
This will rate limit SSH connections to 10 in 60 seconds at most. Can be adjusted for other well known ports.
Drop new connections unless they are SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Drop fragmented packets
iptables -A INPUT -f -j DROP
Drop XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Drop NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Drop spoofed IPs
iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 224.0.0.0/3 -j DROP
Where eth0 is your external interface. Also add your internal IP range to this list if it is not already there.