I'm starting to see new IP added to INPUT chain with REJECT "reject-with icmp-port-unreachable" but it's not clear who added them and where I can stop this.
It's not clear which system are creating these rules. We are not using this kind of rules "REJECT" in our APP, we use only DROP rules. These ones are a mistery.
Some idea how did they appear here?
The REJECT target rejects the packet. If you do not specify which ICMP message to reject with, the server by default will send back ICMP port unreachable (type 3, code 3).
It would be wise to read the iptables documentation to understand what each action does (-j DROP vs. -j REJECT).
So the firewall you did create is adding those rules for your since you most probably used the -j REJECT instead of -j DROP flag.
As a basic rule you should use -j REJECT for your local network and -j DROP for the internet traffic that's hitting your server. When using REJECT rules an ICMP packet is sent indicating the port is unavailable. So your server might get exposed.
To answer your question, your own firewall created those rules.