> so the drop-all would be..? > > iptables -A INPUT -p TCP -i eth0 -s 0/0 -j DROP > > or did I just invent my own thing here? > tia > Kate I was just about to comment: To drop by-by-policy, any rule that doesn't get matched earier gets picked up by the policy rule. You would use: iptables -P INPUT DROP