I think the idea is that nothing is accepted
it depends on policy (-P): either ACCEPT, REJECT or DROP
unless it is in response to
a request.
You must enable it explicitly, i.e.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
What's to stop some spurious instructions being sent in response to
genuine request?
Packets do not contain instructions, only data. If your TCP/IP implementation doesn't have vulnerabilities any packet shouldn't be a problem.
Firewall prevents technically legal packets from reaching software that shouldn't be accessible from the Internet.
In most cases a hacker finds an opened port (port listened to by some daemon) and connects to it.
Firewall prevents hacker from doing it.