Usually when setting policy rules with iptables, a general "overall" policy is set (default policy chain). A good way to think about setting policies is to have a safety net to take some sort of action to prevent un-handled packets from passing through the firewall by mistake.After the default policy is set-up, and then set policy rules in other chains which act as specific exceptions to the default policy. A general policy would apply can be added to ALL types of packets (tcp, udp, icmp) and all communication port numbers (80, 22, etc)control specific network traffic.

The option <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-P</span></code></b> is used with the iptables command An example would be to set a default policy for incoming network traffic (INPUT chain) to DROP everything, and then set an exception certain exceptions (like ssh connections).

Note the following table below for policy setting examples. '''Policy Setting Examples:'''

<td width="30%">'''iptables -P INPUT DROP'''</td><td>Set default policy to drop Drops all incoming connections for ALL protocolspackets regardless of protocol (eg. tcp, ALL communication portsudp, ALL icmp), port numbers (eg. 22, 80) or source or destination IP addressesAddresses. Setting a default rule to DROP all incoming traffic would make it easier to specify a few exceptions.</td>

<td>'''iptables -P OUTPUT DROPINPUT ACCEPT'''</td><td>Set Accepts all incoming packets regardless of protocol (eg. tcp, udp, icmp), port numbers (eg. 22, 80) or source or destination IP Addresses. It would seem that setting a default policy rule to drop ACCEPT all outgoing connections incoming traffic would require A LOT of exceptions to help "lock-down" the server for ALL protocols, ALL communication ports, ALL IP addressesprotection! It really depends on the server set-up and what the Linux system administrator wants to accomplish.</td>