diff --git a/nix/nixos-module/container/upstream.nix b/nix/nixos-module/container/upstream.nix
index 78d467b..3efad3b 100644
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@@ -60,54 +60,39 @@ in
     extraCommands =
       # Provide IPv6 upstream for everyone, using NAT66 when not from
       # our static prefixes
-      builtins.concatStringsSep "\n" (
-        map (net: ''
-          ip6tables -t nat -N ${net}_nat || \
-            ip6tables -t nat -F ${net}_nat
-          ${builtins.concatStringsSep "\n" (
-            map (subnet: ''
-              ip6tables -t nat -A ${net}_nat \
-                -s ${subnet} \
-                -j RETURN
-            '') upstreamInterfaces.${net}.upstream.noNat.subnets6
-          )}
-          ip6tables -t nat -A ${net}_nat -j MASQUERADE
+      lib.concatMapStringsSep "\n" (net: ''
+        ip6tables -t nat -N ${net}_nat || \
+          ip6tables -t nat -F ${net}_nat
+        ${lib.concatMapStringsSep "\n" (subnet: ''
+          ip6tables -t nat -A ${net}_nat \
+            -s ${subnet} \
+            -j RETURN
+        '') upstreamInterfaces.${net}.upstream.noNat.subnets6}
+        ip6tables -t nat -A ${net}_nat -j MASQUERADE
 
-          ip6tables -t nat -A POSTROUTING \
-            -o ${net} \
-            -j ${net}_nat
-        '') (builtins.attrNames upstreamInterfaces)
-      ) +
-      # Do SNAT on connection attempts so that forwarded ports will
-      # work from internal networks.
-      ''
-        iptables -w -t nat -N nixos-nat-post-forward 2>/dev/null || \
-          iptables -w -t nat -F nixos-nat-post-forward
-
-        ${lib.concatMapStringsSep "\n" (net:
-          let
-            inherit (upstreamInterfaces.${net}.upstream) staticIpv4Address;
-          in lib.optionalString (staticIpv4Address != null) ''
-            iptables -w -t nat -I nixos-nat-post \
-              -i core \
-              --dest ${staticIpv4Address}/32 \
-              -j nixos-nat-post-forward
-          '') (builtins.attrNames upstreamInterfaces)}
-
-        ${lib.concatMapStringsSep "\n" ({ proto, sourcePort, ... }: ''
-          iptables -t nat -A nixos-nat-post-forward \
-            -p ${proto} --dport ${toString sourcePort} \
-            -j SNAT --to-source ${config.site.net.core.hosts4.${hostName}}
-        '') hostConf.forwardPorts}
-      '';
+        ip6tables -t nat -A POSTROUTING \
+          -o ${net} \
+          -j ${net}_nat
+      '') (builtins.attrNames upstreamInterfaces);
     extraStopCommands =
-      builtins.concatStringsSep "\n" (
-        map (net: ''
-          ip6tables -t nat -F POSTROUTING 2>/dev/null || true
-          ip6tables -t nat -F ${net}_nat 2>/dev/null || true
-          ip6tables -t nat -X ${net}_nat 2>/dev/null || true
-        '') (builtins.attrNames upstreamInterfaces)
-      );
-    inherit (hostConf) forwardPorts;
+      lib.concatMapStringsSep "\n" (net: ''
+        ip6tables -t nat -F POSTROUTING 2>/dev/null || true
+        ip6tables -t nat -F ${net}_nat 2>/dev/null || true
+        ip6tables -t nat -X ${net}_nat 2>/dev/null || true
+      '') (builtins.attrNames upstreamInterfaces);
+
+    forwardPorts = map ({ destination, sourcePort, ... }@forwardedPort:
+      forwardedPort // {
+        destination =
+          if builtins.match ".*:.*" destination != null
+          then destination
+          else "${destination}:${toString sourcePort}";
+        loopbackIPs = builtins.filter (ip: ip != null) (
+          map (net:
+            upstreamInterfaces.${net}.upstream.staticIpv4Address
+          ) (builtins.attrNames upstreamInterfaces)
+        );
+      }
+    ) hostConf.forwardPorts;
   };
 }