diff --git a/deploy/scripts/gateway-entrypoint.sh b/deploy/scripts/gateway-entrypoint.sh
index a48e96b..4c0ff37 100644
--- a/deploy/scripts/gateway-entrypoint.sh
+++ b/deploy/scripts/gateway-entrypoint.sh
@@ -107,8 +107,9 @@ EOF
     echo "table inet nexavpn {"
     echo "  chain forward {"
     echo "    type filter hook forward priority 0;"
-    echo "    policy drop;"
+    echo "    policy accept;"
     echo "    ct state established,related accept"
+    echo "    iifname != \"${IFACE}\" accept"
     echo "    iifname \"${IFACE}\" ip saddr ${NETWORK_CIDR} oifname \"${UPLINK_IFACE}\" accept"
 
     jq -c '.peers[]?' "${STATE_JSON}" | while read -r peer; do
@@ -122,6 +123,8 @@ EOF
       done
     done
 
+    echo "    iifname \"${IFACE}\" drop"
+
     echo "  }"
     if [ "${ENABLE_MASQUERADE}" = "true" ]; then
       echo "  chain postrouting {"