diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index 05e0142..082fb66 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -1,4 +1,4 @@
-{ hostName, config, lib, ... }:
+{ hostName, config, lib, pkgs, ... }:
 
 let
   hostConf = config.site.hosts.${hostName};
@@ -126,6 +126,10 @@ in
               -j RETURN
           '') upstreamInterfaces.${net}.upstream.noNat.subnets6
        ) (builtins.attrNames upstreamInterfaces)}
+
+      # There just have been moments without a complete ruleset. Flush
+      # out invalid conntrack states!
+      ${pkgs.conntrack-tools}/bin/conntrack -F
     '';
     extraStopCommands = ''
       iptables -F FORWARD 2>/dev/null || true