the default firewall settings are that INPUT accepts only established connections.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Question 1. I think that the settings are already secure. Could you provide a counter-argument when this firewall rule would fail to prevent malicious traffic to enter?
Question 2. If I would want to limit INPUT ports, first I would comment out the mentioned rule. Could you provide an example rule pair to allow INPUT and OUTPUT for a certain port. Consider an HTTP 80 port as an example.