diff --git a/hosts/phoenix.lewd.wtf/networking.nix b/hosts/phoenix.lewd.wtf/networking.nix
index 553c687..5de44db 100644
--- a/hosts/phoenix.lewd.wtf/networking.nix
+++ b/hosts/phoenix.lewd.wtf/networking.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 {
   networking.useDHCP = false;
   networking.bridges = {
@@ -43,20 +43,20 @@
 	"ip rule add from 192.168.100.0/24 table 2"
 	"ip rule add from 192.168.5.0/24 table 2"
 	# NAT
-	"iptables -I POSTROUTING -t nat -o wg0 -j MASQUERADE"
+	"${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o wg0 -j MASQUERADE"
         # Port forwarding
-        "iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
-      ];
-      postShutdown = [
-        # Force traffic from container networks through wg0
-	"ip rule del from 192.168.100.0/24 table 2"
-	"ip rule del from 192.168.5.0/24 table 2"
-        "ip route del table 2 default dev wg0"
-	# NAT
-	"iptables -D POSTROUTING -t nat -o wg0 -j MASQUERADE"
-        # Port forwarding
-        "iptables -D PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
+        "${pkgs.iptables}/bin/iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
       ];
     };
   };
+  systemd.services.wireguard-wg0.preStop =
+    # Force traffic from container networks through wg0
+    "ip rule del from 192.168.100.0/24 table 2" +
+    "ip rule del from 192.168.5.0/24 table 2" +
+    "ip route del table 2 default dev wg0" +
+    # NAT
+    "${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o wg0 -j MASQUERADE" +
+    # Port Forwarding
+    "${pkgs.iptables}/bin/iptables -D PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
+  ;
 }