I also have being building iptables for many years, my few of points that can "getya" if not considered
Things to never use:-
ssh on port 22 (just plain dumb)
voip signalling on 50** (just plain dumb)
http on 80
Things to filter:-
rewrite http to https, provide a legitimate cert on it.
port scanners/flooders, they always get dumped.
Any service that you don't fully trust.
If you have fail2ban properly configured, then enable the stock jails to apache-nohome and apache no-script . . . These guys are probing you . . . they can derivatively extract Elastix/PIAF/Schmooze/ . . . signatures ( along with the older phpmyadmin/recordings/blah-blah) just look at your current logs.
Identify the network the attack vector comes from, denying 4000+ addresses in a network in PSNET for example is dumb, tomorrow there will be 4001+, unless you have clients likely in Gaza, just deny all those PS networks. (be careful networks like with Comcast or Apple 
but Amazon/OVH/tisacali/databank etc. . . are all fair game.)