Put the prometheus rules at the end of the template, so that they not interfere with other rules.

iptables/templates/iptables-rules.v4.j2

@@ -206,17 +206,6 @@
 -A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
 -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
 {% endif %}
-# Prometheus exporters
-{% if prometheus_enabled is defined and prometheus_enabled %}
-{% if prometheus_servers_ip is defined %}
-{% for ip in prometheus_servers_ip %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9300 -j ACCEPT
-{% endfor %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j REJECT --reject-with icmp-host-prohibited
-{% else %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j ACCEPT
-{% endif %}
-{% endif %}
 # Ganglia
 {% if ganglia_enabled is defined and ganglia_enabled %}
 {% if ganglia_gmond_cluster_port is defined %}
@@ -323,6 +312,17 @@
 {% endif %}
 # End of the custom rules
 {% endif %}
+# Prometheus exporters
+{% if prometheus_enabled is defined and prometheus_enabled %}
+{% if prometheus_servers_ip is defined %}
+{% for ip in prometheus_servers_ip %}
+-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9300 -j ACCEPT
+{% endfor %}
+-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j REJECT --reject-with icmp-host-prohibited
+{% else %}
+-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j ACCEPT
+{% endif %}
+{% endif %}
 {% if keepalived_enabled is defined and keepalived_enabled %}
 -A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
 -A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT