diff --git a/iptables.init b/iptables.init
index 73f0de3..dc0e3ec 100755
--- a/iptables.init
+++ b/iptables.init
@@ -217,9 +217,14 @@ stop() {
     # Do not stop if iptables module is not loaded.
     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
 
-    flush_n_delete
+    # Set default chain policy to ACCEPT, in order to not break shutdown
+    # on systems where the default policy is DROP and root device is
+    # network-based (i.e.: iSCSI, NFS)
     set_policy ACCEPT
     
+    # And then, flush the rules and delete chains
+    flush_n_delete
+
     if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
 	echo -n $"${IPTABLES}: Unloading modules: "
 	ret=0
diff --git a/iptables.spec b/iptables.spec
index 0d52c4c..f1ddc7f 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -25,7 +25,7 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 Version: 1.4.21
-Release: 1%{?dist}
+Release: 2%{?dist}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -301,6 +301,10 @@ fi
 
 
 %changelog
+* Thu Jan  9 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-2
+- fixed system hang at shutdown if root device is network based (RHBZ#1007934)
+  Thanks to Rodrigo A B Freire for the patch
+
 * Thu Jan  9 2014 Thomas Woerner <twoerner@redhat.com> 1.4.21-1
 - no connlabel.conf upstream anymore
 - new version 1.4.21