This built me a tight ipchain firewall rule set
http://linux-firewall-tools.com/linux/firewall/index.html
I used DENY, hardcoded external addresses, logged everything.
As part of the instruction and if you read the script, it will
give several suggestions as to where you install the firewall.
--
The warrenty and liability expired as you read the message.
If the above breaks your system, it's yours and you keep both pieces.
Practice safe computing. Backup the file before you change it.
Do a, man every_command_here, before doing anything or running a script.