If I want to add INPUT firewall rules in my server suggestions I see is to do the following (port 80 here, but could be any other service's well known port)
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
How is this different from
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
ie: what is the benefit checking the connection state in the INPUT chain since the server has to serve any request on port 80 ?
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
This will allow only the new and established sessions on destination port 80, and will not allow related(started by another session running) and invalid sessions. So this will drop if somebody comes with for example a non-SYN flag first up for a new connection like an ACK flag, for which a reset would be sent by the server which will eventually(if come in high number) may overwhelm servers processing. Now since this rule is dropping such packets it is more secure.
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Where as the second rule won't stop such packets and hence is less secure than first.
