I actually locked myself out except for console access, so some of this is from memory/Googling:
1. Connect Raspberry Pi to local LAN and get wifi setup (I VLAN wireless traffic, so I have it listening/connected to both)
2. Change iptables default policy to DROP
3. Add relevant ALLOW rules to make sure basic stuff like DHCP still works. I added an allow rule to talk to another machine that runs a PHP script that talks to Twilio
4. Spend about a week adding custom DROP rules for any normal broadcast traffic on your network (Bonjour, random auto-discovery stuff, etc)
5. If you have properly excluded everything "normal" you should be able to run "iptables -vL" about 24 hours apart and the packet count next to the INPUT chain policy will not have incremented (remember we have a default of DENY)
6. Add a final rule of 'iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "ZOMG: " --log-level 4'
7. Write a bash script to monitor syslog, parse the log, forward to the before-mentioned script on another host