There were many good answers and suggestions on this Reddit thread which I'll try to summarize.

Iptables rules on their own won't suffice in a large or organized attack, the datacenter must have some sort of proper DDoS protection in their network. This is of primary importance when dealing with DDoS attacks.

Drop all requests / Start with a default DROP policy

Begining with a default DROP policy and simply white list anything needed is a good strategy.

A good recommendation is to drop every request but those the server is expecting to receive or expecting to make. Another good idea is to explicitly drop port 0, some attacks were making use of that, because some DDoSers were able to still circumvent the attack onto that port. It is unsure if this is just an issue that plagued older iptables/OSes.

An example of such rules are as follows:

iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 30303 -j ACCEPT iptables -A INPUT -p udp --dport 30303 -j ACCEPT iptables -P FORWARD DROP

.. etc

Using netstat to see which ports are needed per service

In addition to a "DROP" policy, using netstat to include ports needed for whatever services you need and include them in the iptables rules is a good approach. In this example we include the daemons' ports of Bitcoin and Litecoin client in addition to Geth's

#!/bin/bash IPT="/sbin/iptables" # This is the iptables script that will be loaded through a cronjob, every time the system boots. # First we will flush old rules and then fill iptables with policies and rules specified below. # Iptables on systemctl start iptables # Flush old rules, old custom tables $IPT --flush $IPT --delete-chain ### POLICIES ### $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP ### INPUT RULES ### # accept local port use, for example so you can use json-rpc on the servers cli $IPT -A INPUT -i lo -j ACCEPT # accept other nodes data reply in case for example a peer request your Geth made to another node $IPT -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT # ssh from your home $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT # accept your local crypto daemons to receive connections # Bitcoin $IPT -A INPUT -p tcp --dport 18333 -s 0.0.0.0/0 -j ACCEPT # Litecoin $IPT -A INPUT -p tcp --dport 19333 -s 0.0.0.0/0 -j ACCEPT # Go-Ethereum (Geth) $IPT -A INPUT -p tcp --dport 30303 -s 0.0.0.0/0 -j ACCEPT

Accepting SSH only from your home IP address

Doing something similar to:

$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s [your home ip]/32 -j ACCEPT

In order to limit access to anyone except a user using your home address may limit unwanted access. Warning ISPs may change your IP address without prior notification rendering your access to your remote server impossible. Consider using it only if you have a fixed IP address or if you can do this from the cpanel or console (ex. AWS).

Changing the default SSH port

Another recommendation is changing the default SSH port to something random, a lot of Chinese servers attempt to brute-force the default port. Making sure rate-limiting for the attempts are in place as well is a good idea.

Disallow ping

The host does not need to respond to pings, you don't need to allow ICMP echo's.

Add a VPN to SSH

It might be good to setup a VPN for yourself. One can make the SSH rule stricter with:

sudo iptables -A INPUT -p tcp -s $vpn_connection --dport 80 -j ACCEPT # allow all tcp connections by $vpn_connection to port 80

Add a rule to protect you from yourself

This is just a general rule to protect the host from yourself. This rule basically says that any new rule you add will not sever existing connections (ie. if you accidentally add a rule severing your own active SSH connection):

sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # prevent added rules from severing existing connections

Thanks to:

For their answers and to 5chdn for making the question public on Reddit.