diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index 504eb2f..78d467b 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -88,25 +88,16 @@ in
           let
             inherit (upstreamInterfaces.${net}.upstream) staticIpv4Address;
           in lib.optionalString (staticIpv4Address != null) ''
-            iptables -w -t nat -A nixos-nat-post \
-              --source 172.20.0.0/14 \
+            iptables -w -t nat -I nixos-nat-post \
+              -i core \
               --dest ${staticIpv4Address}/32 \
               -j nixos-nat-post-forward
           '') (builtins.attrNames upstreamInterfaces)}
 
-        ${lib.concatMapStringsSep "\n" ({ proto, destination, sourcePort, ... }:
-            let
-              ds = builtins.split ":" destination;
-              port =
-                if builtins.length ds == 3
-                then lib.elemAt ds 2
-                else if builtins.length ds == 1
-                then toString sourcePort
-                else throw "Too many colons in a forwardPorts destination";
-            in ''
-              iptables -t nat -A nixos-nat-post-forward \
-                -p ${proto} --dport ${port} \
-                -j SNAT --to-source ${config.site.net.core.hosts4.${hostName}}
+        ${lib.concatMapStringsSep "\n" ({ proto, sourcePort, ... }: ''
+          iptables -t nat -A nixos-nat-post-forward \
+            -p ${proto} --dport ${toString sourcePort} \
+            -j SNAT --to-source ${config.site.net.core.hosts4.${hostName}}
         '') hostConf.forwardPorts}
       '';
     extraStopCommands =