• iptables.rules:

You can use this in a Debian machine by modifying your /etc/network/interfaces file to look something like this:

iface eth0 inet static
blah blah blah
        pre-up /sbin/iptables-restore /etc/iptables.rules

after placing this file in /etc/iptables.rules.

Severn and Jason had some thoughts about the rules:

From:    Severn
To:    Mike Patterson
Subject:    Re: iptables rules
Date:    Wed, 14 Jul 2004 14:00:42 -0400   
Since the setup isn't "fully stealth" (i.e. you're allowing pings), then 
mimicking the behaviour of a port without a service rather than DROPping 
them would eliminate some weird problems that may occur, such as: 
instead of an ident probe waiting for a reply and timing out (ie it 
doesn't know what's going on), it would get a port closed immediately 
(there is no service here).
...a tcp-reset for tcp packets, and an icmp-port-unreachable for udp packets

It would also make my scans go faster =D
While dropping packets will prevent nmap from easily guessing the OS, 
telnetting to the ssh port looking for a banner would reveal that it was 
a unixlike system (if not the version/distro).

and in another mail, he wrote:

That is true. An explicit rule for state tracking is needed in iptables.
Then there's the -A OUTPUT -o lo -j ACCEPT after that which isn't needed...

After some research, I've also determined that "other" icmp types (like 
fragmentation needed) are covered by the "related" part of state 
tracking and no separate rule is needed for those.