diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh
index 288d5d2fd..89221342c 100755
--- a/setup/start/cloudron-firewall.sh
+++ b/setup/start/cloudron-firewall.sh
@@ -12,12 +12,12 @@ ipset create cloudron_blocklist hash:net || true
 
 iptables -t filter -A CLOUDRON -m set --match-set cloudron_blocklist src -j DROP
 if ! iptables -t filter -C FORWARD -m set --match-set cloudron_blocklist src -j DROP; then
-    iptables -t filter -I FORWARD -m set --match-set cloudron_blocklist src -j DROP
+    iptables -t filter -A FORWARD -m set --match-set cloudron_blocklist src -j DROP
 fi
 
 # allow related and establisted connections
-iptables -t filter -I CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT
-iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports 22,25,80,202,443 -j ACCEPT # 202 is the alternate ssh port
+iptables -t filter -A CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -t filter -A CLOUDRON -p tcp -m tcp -m multiport --dports 22,25,80,202,443 -j ACCEPT # 202 is the alternate ssh port
 
 # whitelist any user ports
 user_firewall_json="/home/yellowtent/boxdata/firewall-config.json"