diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
index 4913f27bb80..d7349c15261 100644
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@@ -289,12 +289,12 @@ class CsIP:
             self.fw.append(["mangle", "",
                             "-A VPN_%s -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.address['public_ip']])
             self.fw.append(["mangle", "",
-                            "-A VPN_%s RETURN" % self.address['public_ip']])
+                            "-A VPN_%s -j RETURN" % self.address['public_ip']])
             self.fw.append(["mangle", "front",
-                            "-A POSTROUTING",
+                            "-A POSTROUTING " +
                             "-p udp -m udp --dport 68 -j CHECKSUM --checksum-fill"])
             self.fw.append(["nat", "",
-                            "-A POSTROUTING -o eth2 -j SNAT --to-source 10.0.2.102" % self.address['public_ip']])
+                            "-A POSTROUTING -o eth2 -j SNAT --to-source %s" % self.address['public_ip']])
 
         self.fw.append(["filter", "", "-A INPUT -d 224.0.0.18/32 -j ACCEPT"])
         self.fw.append(["filter", "", "-A INPUT -d 225.0.0.50/32 -j ACCEPT"])
@@ -332,8 +332,7 @@ class CsIP:
         self.fw_router()
         self.fw_vpcrouter()
         # On deletion nw_type will no longer be known
-        if (self.get_type() in ["guest"] and self.config.is_vpc()) or \
-           (self.get_type() in ['public'] and not self.config.is_vpc()):
+        if self.get_type() in ["guest"] and self.config.is_vpc():
             devChain = self.config.get_ingress_chain(self.dev, self.address['public_ip'])
             CsDevice(self.dev, self.config).configure_rp()
 
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
index 97f47f8c059..6a546a4fbf5 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
@@ -122,11 +122,17 @@ class CsNetfilters(object):
             # Ensure all inbound chains have a default drop rule
             if c.startswith("ACL_INBOUND"):
                 list.append(["filter", "", "-A %s -j DROP" % c])
+        # PASS 1:  Ensure all chains are present
         for fw in list:
             new_rule = CsNetfilter()
             new_rule.parse(fw[2])
             new_rule.set_table(fw[0])
             self.add_chain(new_rule)
+        # PASS 2: Create rules
+        for fw in list:
+            new_rule = CsNetfilter()
+            new_rule.parse(fw[2])
+            new_rule.set_table(fw[0])
             if self.has_rule(new_rule):
                 logging.debug("rule %s exists in table %s", fw[2], new_rule.get_table())
             else: