diff --git a/update-blacklist.sh b/update-blacklist.sh
index 99eb6ad..8ba9724 100644
--- a/update-blacklist.sh
+++ b/update-blacklist.sh
@@ -45,6 +45,19 @@ if ! ipset list -n|command grep -q "$IPSET_BLACKLIST_NAME"; then
     fi
 fi
 
+# drop rule if it isn't in a first position
+if [ `iptables -L INPUT --line-num|command grep "match-set $IPSET_BLACKLIST_NAME" | cut -f1 -d" "` != "1" ]; then
+    if [[ ${FORCE:-no} != yes ]]; then
+  echo >&2 "Error: iptables need to drop ipset INPUT rule, drop it using:"
+  echo >&2 "# iptables -D INPUT -m set --match-set $IPSET_BLACKLIST_NAME src -j DROP"
+  exit 1
+    fi
+    if ! iptables -D INPUT -m set --match-set "$IPSET_BLACKLIST_NAME" src -j DROP; then
+  echo >&2 "Error: while dropping the --match-set ipset rule from iptables"
+  exit 1
+    fi
+fi
+
 # create the iptables binding if needed (or abort if does not exists and FORCE=no)
 if ! iptables -vL INPUT|command grep -q "match-set $IPSET_BLACKLIST_NAME"; then
     # we may also have assumed that INPUT rule n°1 is about packets statistics (traffic monitoring)