diff --git a/bundles/iptables/files/00-defaults b/bundles/iptables/files/00-defaults
deleted file mode 100644
index af1ca28..0000000
--- a/bundles/iptables/files/00-defaults
+++ /dev/null
@@ -1 +0,0 @@
-iptables_both -A INPUT -p tcp --dport 22 -j ACCEPT
diff --git a/bundles/iptables/items.py b/bundles/iptables/items.py
index 69fba15..d0bf6b3 100644
--- a/bundles/iptables/items.py
+++ b/bundles/iptables/items.py
@@ -21,11 +21,6 @@ files = {
             'action:iptables_enforce',
         },
     },
-    '/etc/iptables-rules.d/00-defaults': {
-        'triggers': {
-            'action:iptables_enforce',
-        },
-    },
 }
 
 for bundle, rules in node.metadata.get('iptables/bundle_rules', {}).items():
diff --git a/bundles/openssh/metadata.py b/bundles/openssh/metadata.py
index d3e805c..ebc8854 100644
--- a/bundles/openssh/metadata.py
+++ b/bundles/openssh/metadata.py
@@ -1,3 +1,5 @@
+from bundlewrap.metadata import atomic
+
 defaults = {
     'apt': {
         'packages': {
@@ -12,3 +14,15 @@ defaults = {
         },
     },
 }
+
+@metadata_reactor.provides(
+    'iptables/port_rules/22',
+)
+def iptables(metadata):
+    return {
+        'iptables': {
+            'port_rules': {
+                '22': atomic(metadata.get('openssh/restrict-to', set('*'))),
+            },
+        },
+    }