diff --git a/hardware-configuration.nix b/hardware-configuration.nix
index 2e85aa0..cc00c49 100644
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@@ -29,6 +29,8 @@
 
   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
 
+  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
+
   swapDevices =
     [ { device = "/dev/disk/by-uuid/7e34cdc3-bd48-435a-8ea2-e1fe43926262"; }
     ];
diff --git a/networking.nix b/networking.nix
index 5e558ed..638dc65 100644
--- a/networking.nix
+++ b/networking.nix
@@ -5,42 +5,33 @@
     hostName = "Stormwind";
     networkmanager.enable = false;
 
-    nftables = {
-      enable = true;
-      ruleset = ''
-          table ip nat {
-            chain PREROUTING {
-              type nat hook prerouting priority dstnat; policy accept;
-              iifname "enp4s0" tcp dport 8123 dnat to 10.46.32.153:8123
-              iifname "enp4s0" tcp dport 80 dnat to 10.46.32.2:80
-              iifname "enp4s0" tcp dport 443 dnat to 10.46.32.2:443
-              iifname "enp4s0" tcp dport 20 dnat to 10.46.32.2:20
-              iifname "enp4s0" tcp dport 21 dnat to 10.46.32.2:21
-              iifname "enp4s0" tcp dport 22 dnat to 10.46.32.2:22
-              iifname "enp4s0" tcp dport 2223 dnat to 10.46.32.2:2223
-              iifname "enp4s0" tcp dport 990 dnat to 10.46.32.2:990
-              iifname "enp4s0" tcp dport 989 dnat to 10.46.32.2:989
-              iifname "enp4s0" tcp dport 445 dnat to 10.46.32.2:445
-              iifname "enp4s0" tcp dport 111 dnat to 10.46.32.2:111
-              iifname "enp4s0" udp dport 111 dnat to 10.46.32.2:111
-              iifname "enp4s0" tcp dport 2049 dnat to 10.46.32.2:2049
-              iifname "enp4s0" udp dport 2049 dnat to 10.46.32.2:2049
-              iifname "enp4s0" tcp dport 32765 dnat to 10.46.32.2:32765
-              iifname "enp4s0" udp dport 32765 dnat to 10.46.32.2:32765
-              iifname "enp4s0" tcp dport 32768 dnat to 10.46.32.2:32768
-              iifname "enp4s0" udp dport 32768 dnat to 10.46.32.2:32768
-              iifname "enp4s0" tcp dport 20048 dnat to 10.46.32.2:20048
-              iifname "enp4s0" udp dport 20048 dnat to 10.46.32.2:20048
-            }
-          }
-      '';
-    };
 
     firewall = {
       allowedTCPPorts = [ 80 443 8123 20 21 22 2223 990 989 445 111 2049 32765 32768 20048 ];
       allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
+      trustedInterfaces = [ "incusbr0" ];
     };
 
+    # here’s the custom nftables filter ruleset for forwarded traffic:
+    nftables.ruleset = ''
+      table ip filter {
+        chain forward {
+          type filter hook forward priority 0; policy drop;
+          # allow established/related replies
+          ct state established,related accept
+
+          # allow new+established VM→Internet
+          iifname "incusbr0" oifname "enp4s0" ct state new,established accept
+          iifname "incusbr1" oifname "enp4s0" ct state new,established accept
+
+          # allow natted replies
+          iifname "enp4s0" oifname "incusbr0" tcp dport 8123 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 80 ct state new,established accept
+          iifname "enp4s0" oifname "incusbr0" tcp dport 443 ct state new,established accept
+        }
+      }
+    '';
+
     bridges = {
       incusbr0 = {
         interfaces = [];