diff --git a/imageroot/bin/firewall-rules b/imageroot/bin/firewall-rules
index fa1deb2..c3ce1ae 100755
--- a/imageroot/bin/firewall-rules
+++ b/imageroot/bin/firewall-rules
@@ -16,8 +16,8 @@ if [[ $action == 'create-ipset' ]]; then
     firewall-cmd --reload
 elif [[ $action == 'add-rule' ]]; then
     # we cannot use --permanent option here, because the set of ipset won't be seen by crowdsec-firewall-bouncer.service
-    iptables -I INPUT 0 -m set --match-set crowdsec-blacklists src -j DROP
-    ip6tables -I INPUT 0 -m set --match-set  crowdsec6-blacklists src -j DROP
+    iptables -I INPUT 1 -m set --match-set crowdsec-blacklists src -j DROP
+    ip6tables -I INPUT 1 -m set --match-set  crowdsec6-blacklists src -j DROP
 elif [[ $action == 'remove-rule' ]]; then
     iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP
     ip6tables -D INPUT -m set --match-set crowdsec6-blacklists src -j DROP