I find it's easier and more secure to whitelist the ports you need than to blacklist the ones you don't. It's definitely simpler to configure iptables that way. Here's the output of iptables-save on one of our web servers:
# Generated by iptables-save v1.4.7 on Tue Mar 18 15:42:25 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4195393:2121601563]
-A INPUT -p icmp -m comment --comment "000 accept all icmp" -j ACCEPT
-A INPUT -i lo -m comment --comment "001 accept all to lo" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "002 accept SSH" -j ACCEPT
-A INPUT -m comment --comment "003 accept related established rules" -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "010 accept HTTP" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 443 -m comment --comment "011 accept HTTPS" -j ACCEPT
-A INPUT -m comment --comment "999 drop all other requests" -j DROP
-A FORWARD -m comment --comment "000 drop forwarded packets" -j DROP
COMMIT