diff --git a/roles/deploy-web/files/refill_blacklist.sh b/roles/deploy-web/files/refill_blacklist.sh
index 058e4ae..7238c4d 100644
--- a/roles/deploy-web/files/refill_blacklist.sh
+++ b/roles/deploy-web/files/refill_blacklist.sh
@@ -4,8 +4,8 @@ BLACKLIST=/etc/sentinel/blacklist
 chain_count=$(iptables -L BLACKLIST -n | wc -l)
 if [ ${chain_count} -eq 0 ]; then
 	iptables -N BLACKLIST
-	iptables -A INPUT -p tcp -m tcp --dport 80 -j BLACKLIST
-	iptables -A INPUT -p tcp -m tcp --dport 443 -j BLACKLIST
+	iptables -I INPUT 1 -p tcp -m tcp --dport 80 -j BLACKLIST
+	iptables -I INPUT 1 -p tcp -m tcp --dport 443 -j BLACKLIST
 
 fi
 if [ ! -f ${BLACKLIST} ]; then