diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index db2955e614f..2a3b986cec7 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -1053,8 +1053,8 @@ def network_rules(session, args):
 
     util.SMlog("Programming network rules for vm  %s seqno=%s numrules=%s signature=%s guestIp=%s,"\
               " update iptables, reason=%s" % (vm_name, seqno, len(lines), signature, vm_ip, reason))
-    util.pread2(['iptables', '-F', vmchain])
     
+    cmds = []
     for line in lines:
         tokens = line.split(':')
         if len(tokens) != 4:
@@ -1088,7 +1088,7 @@ def network_rules(session, args):
                 if start == "-1":
                     range = "any"
                     iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range,  '-m', 'set', '--match-set', ipsetname, 'src', '-j', 'ACCEPT']
-            util.pread2(iptables)
+            cmds.append(iptables)
             util.SMlog(iptables)
         
         if allow_any and protocol != 'all':
@@ -1099,9 +1099,12 @@ def network_rules(session, args):
                 if start == "-1":
                     range = "any"
                     iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range, '-j', 'ACCEPT']
-            util.pread2(iptables)
+            cmds.append(iptables)
             util.SMlog(iptables)
             
+    util.pread2(['iptables', '-F', vmchain])
+    for cmd in cmds:
+        util.pread2(cmd)
     util.pread2(['iptables', '-A', vmchain, '-j', 'DROP'])
 
     if write_rule_log_for_vm(vm_name, vm_id, vm_ip, domid, signature, seqno) == False: