diff --git a/templates/iptables.j2 b/templates/iptables.j2
index 0dc024a..127cf42 100644
--- a/templates/iptables.j2
+++ b/templates/iptables.j2
@@ -8,10 +8,10 @@
 -A INPUT -i lo -j ACCEPT
 
 {% for service in firewall_services %}
-{% if service.state != "absent" %}
+{% if (service.state | default("present")) != "absent" %}
 -A INPUT -m state --state NEW {% if service.protocol is defined %}{% if service.protocol == "tcp" %}-m tcp{% endif %}{% endif %} -p {{ service.protocol | default ('tcp') }} --dport {{ service.name }} -j ACCEPT
-{% endfor %}
 {% endif %}
+{% endfor %}
 
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited