Since you don't know what all was done, consider this server compromised (permanently). That means the OS and means the attacker could potentially come back in. Therefore, if possible, build a new server, transfer the DBs to it, take this server off-line and re-point everything to the new server. If the name is important, then when you're ready to make the change, take the old server off-line, drop the new SQL Server into a workgroup, rename it, and then re-add it to the domain.

As far as best practices are concerned, If the IPtables were changed and that led to the compromise, there's not a ton you can do. That's a firewall change outside of SQL Server. One thing you can do is modify the IPSEC policy (Windows Server 2003) or the Windows Firewall (Windows Server 2008+) and add a policy to block all IPs except from your internal network. This assumes that only systems on your internal network would be making the connection.