iptables-close all ports except web and ssh

Ubuntu 16.04 server + fail2ban + iptables. There are a lot of PHP + MySQL sites on the server (with and without SSL).

The task is to close all ports except ports 80 for sites without SSL, 443 for sites in SSL so that the sites are accessible to users from outside, and all server services are closed to "intruders".

Fail2ban copes well with brute force (at the moment, about 700 IP addresses are temporarily blocked). But I would like to completely block access to the server for everyone without the possibility of brute-force passwords.

The idea is this: add INPUT iptables{[2] to the beginning of the chain]}

iptables -I INPUT 1 -s 123.123.123.123 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT 3 -dport !80,443 -j REJECT

The first line allows all incoming packets from my home IP address.

With the second line, we make an exception for SSH and allow access to port 22 for everyone. For everyone, because even though I have a white IP, but the provider can change my IP address in the future at its discretion and I can lose access to the server if I close port 22 for everyone.

Thirds the line for all (if the two rules above did not work) closes all ports except web (80 - http and 443 - https). REJECT (instead of DROP) - in order not to hang open connections, but to send back service messages about port unavailability (according to the iptables documentation).

Questions:

Is my reasoning correct?

Do I need to write a separate rule for localhost/127.0.0.1 so that PHP has access to MySQL databases and in general inside the server without restrictions?

What else have you not provided for Ubuntu to work correctly as a web server of sites? It is possible that users ' browsers and search engines use some other ports that I do not know about...

Some scripts on the server use the PHP copy command. Will it work correctly if only ports 22,80,443 are open in the INPUT chain for iptables?