diff --git a/Dockerfile b/Dockerfile
index 2231d09d..7a7960e6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,6 +28,7 @@ RUN \
     libcap-utils \
     libqrencode-tools \
     net-tools \
+    nftables \
     openresolv \
     wireguard-tools==${WIREGUARD_RELEASE} && \
   echo "wireguard" >> /etc/modules && \
diff --git a/root/defaults/server.conf b/root/defaults/server.conf
index 757682d6..9fe5feab 100644
--- a/root/defaults/server.conf
+++ b/root/defaults/server.conf
@@ -2,5 +2,5 @@
 Address = ${INTERFACE}.1
 ListenPort = 51820
 PrivateKey = $(cat /config/server/privatekey-server)
-PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
-PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
+PostUp = iptables-nft -A FORWARD -i %i -j ACCEPT; iptables-nft -A FORWARD -o %i -j ACCEPT; iptables-nft -t nat -A POSTROUTING -o eth+ -j MASQUERADE
+PostDown = iptables-nft -D FORWARD -i %i -j ACCEPT; iptables-nft -D FORWARD -o %i -j ACCEPT; iptables-nft -t nat -D POSTROUTING -o eth+ -j MASQUERADE