What do you do when setting up iptables: change the default policy (iptables -P INPUT DROP, for example) or add a catch-all rule at the end of the ruleset (iptables -A INPUT DROP)? If you do prefer one in particular, what's the rationale behind your preference?
This may be too subjective a question for this forum, but perhaps there are some good hard reasons to choose one over the other that I'm not aware of.
Against the policy way I have that it's probably easier to lock oneself out of the server due to an overly optimistic iptables -F. For it I have that it's probably easier to delete the catch-all rule without noticing it, effectively leaving the server wide open (I've had this happen to me in the past).
It's true that you shouldn't rely on the firewall as your only protection from the internet (most of the time you can make internal network services bind only to localhost or the internal network, for example) but sometimes one is forced to expose semi-public services to a specific source network, etc.
Personally I tend to prefer the first if writing a ruleset from scratch, but stick to whatever's in place already if updating an existing one.
Best Answer
I use both, setting the policy, and a final drop rule, because I am hardcore like that.
I have my rules defined in a script that I call and update. I never directly call iptables directly other then to occasionally list the rules/stats. I have never really seen a reason why one is better then the other.