diff --git a/config.scm b/config.scm
index 7f1560e..a24132e 100644
--- a/config.scm
+++ b/config.scm
@@ -48,7 +48,7 @@
                   (shell #~(string-append #$zsh "/bin/zsh"))
                   (home-directory "/home/collin")
                   (supplementary-groups
-                    '("wheel" "docker" "netdev" "audio" "video")))
+                    '("wheel" "docker" "kvm" "netdev" "audio" "video")))
                 %base-user-accounts))
 
   (packages
@@ -66,6 +66,7 @@
 	    "emacs-guix"
 	    "emacs-exwm"
 	    "graphviz"
+            "iptables"
 	    "tmux"
 	    "xterm"
 	    "xrandr"
@@ -73,4 +74,24 @@
 	%base-packages))
 
   (services (cons* (service docker-service-type)
+                   (service iptables-service-type
+                            (iptables-configuration
+                             (ipv4-rules (plain-file "iptables.rules" "*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [628:62522]
+:TCP - [0:0]
+:UDP - [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
+COMMIT
+"))))
 		   %desktop-services)))