diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index b0141dc..270c49a 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -102,20 +102,14 @@ in
 
       # Provide IPv6 upstream for everyone, using NAT66 when not from
       # our static prefixes
-      ${lib.concatMapStringsSep "\n" (net: ''
-        ip6tables -t nat -N ${net}_nat || \
-          ip6tables -t nat -F ${net}_nat
-        ${lib.concatMapStringsSep "\n" (subnet: ''
-          ip6tables -t nat -A ${net}_nat \
-            -s ${subnet} \
-            -j RETURN
-        '') upstreamInterfaces.${net}.upstream.noNat.subnets6}
-        ip6tables -t nat -A ${net}_nat -j MASQUERADE
-
-        ip6tables -t nat -A POSTROUTING \
-          -o ${net} \
-          -j ${net}_nat
-      '') (builtins.attrNames upstreamInterfaces)}
+      ${lib.concatMapStringsSep "\n" (net:
+          lib.concatMapStrings (subnet: ''
+            ip6tables -t nat -I nixos-nat-post \
+              -o ${net} \
+              -s ${subnet} \
+              -j RETURN
+          '') upstreamInterfaces.${net}.upstream.noNat.subnets6
+       ) (builtins.attrNames upstreamInterfaces)}
     '';
     extraStopCommands = ''
       iptables -F FORWARD 2>/dev/null || true