diff --git a/packages/network/iptables/config/public.v4 b/packages/network/iptables/config/public.v4
index 743ebe0171..7872e8d4bd 100644
--- a/packages/network/iptables/config/public.v4
+++ b/packages/network/iptables/config/public.v4
@@ -1,17 +1,4 @@
 # Netfilter rules for public "untrusted" networks
-*mangle
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
@@ -29,3 +16,16 @@ COMMIT
 -A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
 -A DOCKER-USER -j REJECT --reject-with icmp-port-unreachable
 COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
diff --git a/packages/network/iptables/config/public.v6 b/packages/network/iptables/config/public.v6
index 7c56d0757b..bddcccdd44 100644
--- a/packages/network/iptables/config/public.v6
+++ b/packages/network/iptables/config/public.v6
@@ -1,17 +1,4 @@
 # Netfilter Rules for trusted home networks.
-*mangle
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
@@ -28,3 +15,16 @@ COMMIT
 -A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-USER -j REJECT --reject-with icmp6-port-unreachable
 COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT