diff --git a/iptables/templates/iptables-rules.v4.j2 b/iptables/templates/iptables-rules.v4.j2
index 4b242fe4..702cee01 100644
--- a/iptables/templates/iptables-rules.v4.j2
+++ b/iptables/templates/iptables-rules.v4.j2
@@ -5,10 +5,7 @@
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
--A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p icmp -j ACCEPT
--A INPUT -i lo -j ACCEPT
-#
+
 # We manage the banned IP/networks list before anything else
 {% if iptables_banlist is defined %}
 {% for obj in iptables_banlist %}
@@ -23,6 +20,11 @@
 {% endif %}
 {% endfor %}
 {% endif %}
+
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+#
 {% if iptables_managed_ssh is defined and iptables_managed_ssh %}
 {% if iptables_ssh_allowed_hosts is defined %}
 # ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses