diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index 8461e70..322cb53 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -53,7 +53,6 @@ in
     extraCommands =
       builtins.concatStringsSep "\n" (
         map (net: ''
-          ip6tables -t nat -X ${net}_nat || true
           ip6tables -t nat -N ${net}_nat
           ${builtins.concatStringsSep "\n" (
             map (subnet: ''
@@ -69,6 +68,13 @@ in
             -j ${net}_nat
         '') (builtins.attrNames upstreamInterfaces)
       );
+    extraStopCommands =
+      builtins.concatStringsSep "\n" (
+        map (net: ''
+          ip6tables -t nat -F POSTROUTING
+          ip6tables -t nat -X ${net}_nat
+        '') (builtins.attrNames upstreamInterfaces)
+      );
     inherit (hostConf) forwardPorts;
   };
 }