diff --git a/common/iptables b/common/iptables
new file mode 100644
index 0000000..b2100ba
--- /dev/null
+++ b/common/iptables
@@ -0,0 +1,27 @@
+# Generated by iptables-save v1.4.5 on Mon Sep  6 08:57:46 2010
+*nat
+:PREROUTING ACCEPT [85:5912]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PR-QBS - [0:0]
+-A PREROUTING -j PR-QBS
+-A POSTROUTING -o vif+ -j ACCEPT
+-A POSTROUTING -j MASQUERADE
+COMMIT
+# Completed on Mon Sep  6 08:57:46 2010
+# Generated by iptables-save v1.4.5 on Mon Sep  6 08:57:46 2010
+*filter
+:INPUT ACCEPT [168:11399]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [128:12536]
+-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -i vif+ -o vif+ -j DROP
+-A FORWARD -i vif+ -j ACCEPT
+-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -j DROP
+COMMIT
+# Completed on Mon Sep  6 08:57:46 2010
diff --git a/common/qubes_setup_dnat_to_ns b/common/qubes_setup_dnat_to_ns
index 67a1b90..aa95186 100755
--- a/common/qubes_setup_dnat_to_ns
+++ b/common/qubes_setup_dnat_to_ns
@@ -3,16 +3,16 @@ addrule()
 {
         if [ $FIRSTONE = yes ] ; then
                 FIRSTONE=no
-                RULE1="-A PREROUTING -d $NS1 -p udp --dport 53 -j DNAT --to $1"
+                RULE1="-A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $1"
         else
-                RULE2="-A PREROUTING -d $NS2 -p udp --dport 53 -j DNAT --to $1"
+                RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1"
                 NS=$NS2
         fi
 }
 export PATH=$PATH:/sbin:/bin
 source /var/run/qubes/qubes_ns
 if [ "X"$NS1 = "X" ] ; then exit ; fi
-iptables -t nat -F PREROUTING
+iptables -t nat -F PR-QBS
 FIRSTONE=yes
 grep ^nameserver /etc/resolv.conf | head -2 |
         (
diff --git a/netvm/iptables b/netvm/iptables
deleted file mode 100644
index 3d01ee2..0000000
--- a/netvm/iptables
+++ /dev/null
@@ -1,22 +0,0 @@
-# Generated by iptables-save v1.4.5 on Fri Jun  4 07:17:12 2010
-*nat
-:PREROUTING ACCEPT [8:818]
-:POSTROUTING ACCEPT [1:84]
-:OUTPUT ACCEPT [0:0]
--A POSTROUTING -o br+ -j ACCEPT
--A POSTROUTING -j MASQUERADE
-COMMIT
-# Completed on Fri Jun  4 07:17:12 2010
-# Generated by iptables-save v1.4.5 on Fri Jun  4 07:17:12 2010
-*filter
-:INPUT ACCEPT [168:4704]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -i br+ -p udp -m udp --dport 68 -j DROP
--A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
--A FORWARD -i vif+ -j ACCEPT
--A FORWARD -i br+ -j ACCEPT
--A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
--A FORWARD -j DROP
-COMMIT
-# Completed on Fri Jun  4 07:17:12 2010
diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec
index 5d130e1..6ac0246 100644
--- a/rpm_spec/core-netvm.spec
+++ b/rpm_spec/core-netvm.spec
@@ -53,7 +53,7 @@ fi
 %install
 
 mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
-cp iptables $RPM_BUILD_ROOT/etc/sysconfig
+cp ../common/iptables $RPM_BUILD_ROOT/etc/sysconfig
 mkdir -p $RPM_BUILD_ROOT/etc
 cp fstab $RPM_BUILD_ROOT/etc/fstab
 mkdir -p $RPM_BUILD_ROOT/etc/init.d