Re: [bitfolk] ip6tables

There's nothing wrong with what you've done -- and in the absence of other rules is functionally the same as what I am about to say, but a better practice is to set the policy of each chain to "DROP" (at least for INPUT and FORWARD chains) and then explicitly set what you will ACCEPT (this is true for ip4 and ip6). # flush any existing rules ip6tables -F -X # set policy ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -L Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Since the DROP isn't implemented with a rule, you don't have to worry about inserting your ACCEPT rules before it, you can simply append and the policy will take care of the DROP. For example: ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT This saves you the trouble of working out what number you should be passing to a '-I' command.