diff --git a/roles/pxeserver/templates/rules.v4 b/roles/pxeserver/templates/rules.v4
index b34e479..fd74fb3 100644
--- a/roles/pxeserver/templates/rules.v4
+++ b/roles/pxeserver/templates/rules.v4
@@ -1,7 +1,7 @@
 *filter
-:INPUT DROP [2:72]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [8441:830478]
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p icmp -m state --state NEW -j ACCEPT
 -A INPUT ! -i {{ lan_iface }} -m state --state NEW -j ACCEPT
@@ -20,11 +20,14 @@
 -A INPUT -i {{ lan_iface }} -p tcp -m state --state NEW -m tcp --dport 4048 -j ACCEPT
 -A INPUT -i {{ lan_iface }} -p udp -m state --state NEW -m udp --dport 4048 -j ACCEPT
 -A FORWARD -i {{ lan_iface }} -o {{ lan_iface }} -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i {{ lan_iface }} -o {{ lan_iface }} -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -i {{ lan_iface }} -j ACCEPT
 COMMIT
 *nat
-:PREROUTING ACCEPT [72:10770]
-:INPUT ACCEPT [68:10030]
-:OUTPUT ACCEPT [39:2999]
-:POSTROUTING ACCEPT [1:84]
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
 -A POSTROUTING -o {{ wan_iface }} -j MASQUERADE
 COMMIT