diff --git a/CHANGES b/CHANGES
index 49038d818..0ab9a7df4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2451,4 +2451,5 @@
 
 [7.2.0]
 * mail: hide log button for non-superadmins
+* firewall: do not add duplicate ldap redirect rules
 
diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh
index b26ba0912..28de55f87 100755
--- a/setup/start/cloudron-firewall.sh
+++ b/setup/start/cloudron-firewall.sh
@@ -61,6 +61,9 @@ ipset create cloudron_ldap_allowlist6 hash:net family inet6 || true
 ipset flush cloudron_ldap_allowlist6
 
 ldap_allowlist_json="/home/yellowtent/platformdata/firewall/ldap_allowlist.txt"
+# delete any existing redirect rule
+$iptables -t nat -D PREROUTING -p tcp --dport 636 -j REDIRECT --to-ports 3004 2>/dev/null || true
+$ip6tables -t nat -D PREROUTING -p tcp --dport 636 -j REDIRECT --to-ports 3004 >/dev/null || true
 if [[ -f "${ldap_allowlist_json}" ]]; then
     # without the -n block, any last line without a new line won't be read it!
     while read -r line || [[ -n "$line" ]]; do
@@ -74,8 +77,12 @@ if [[ -f "${ldap_allowlist_json}" ]]; then
     done < "${ldap_allowlist_json}"
 
     # ldap server we expose 3004 and also redirect from standard ldaps port 636
-    ipxtables -t nat -I PREROUTING -p tcp --dport 636 -j REDIRECT --to-ports 3004
+    $iptables -t filter -C INPUT -j CLOUDRON_RATELIMIT 2>/dev/null || $iptables -t filter -I INPUT 1 -j CLOUDRON_RATELIMIT
+
+    $iptables -t nat -I PREROUTING -p tcp --dport 636 -j REDIRECT --to-ports 3004
     $iptables -t filter -A CLOUDRON -m set --match-set cloudron_ldap_allowlist src -p tcp --dport 3004 -j ACCEPT
+
+    $ip6tables -t nat -I PREROUTING -p tcp --dport 636 -j REDIRECT --to-ports 3004
     $ip6tables -t filter -A CLOUDRON -m set --match-set cloudron_ldap_allowlist6 src -p tcp --dport 3004 -j ACCEPT
 fi