diff --git a/bcp38.iptables.v4 b/bcp38.iptables.v4
index 07ea7e8..5bf028f 100644
--- a/bcp38.iptables.v4
+++ b/bcp38.iptables.v4
@@ -15,10 +15,6 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :VYATTA_CT_PREROUTING_HOOK - [0:0]
 -A PREROUTING -j NOTRACK
-{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if salt['pillar.get']('interfaces:'+iface_name+':netflow') %}
--A PREROUTING -i {{ iface_name }} -j NFLOG --nflog-group 2 --nflog-range 64 --nflog-threshold 10
--A VYATTA_CT_PREROUTING_HOOK -i {{ iface_name }} -j NFLOG --nflog-group 2 --nflog-range 64 --nflog-threshold 10
-{% endif %}{% endfor %}
 COMMIT
 
 *nat
@@ -30,8 +26,14 @@ COMMIT
 
 *mangle
 :PREROUTING ACCEPT [0:0]
+{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if salt['pillar.get']('interfaces:'+iface_name+':netflow') %}
+-A PREROUTING -i {{ iface_name }} -j NFLOG --nflog-group 2 --nflog-range 64 --nflog-threshold 10
+{% endif %}{% endfor %}
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
+{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if salt['pillar.get']('interfaces:'+iface_name+':netflow') %}
+-A POSTROUTING -o {{ iface_name }} -j NFLOG --nflog-group 2 --nflog-range 64 --nflog-threshold 10
+{% endif %}{% endfor %}
 COMMIT
diff --git a/bcp38.iptables.v6 b/bcp38.iptables.v6
index 861254d..047b6fa 100644
--- a/bcp38.iptables.v6
+++ b/bcp38.iptables.v6
@@ -15,10 +15,6 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :VYATTA_CT_PREROUTING_HOOK - [0:0]
 -A PREROUTING -j NOTRACK
-{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if salt['pillar.get']('interfaces:'+iface_name+':netflow') %}
--A PREROUTING -i {{ iface_name }} -j NFLOG --nflog-group 2 --nflog-range 64 --nflog-threshold 10
--A VYATTA_CT_PREROUTING_HOOK -i {{ iface_name }} -j NFLOG --nflog-group 2 --nflog-range 64 --nflog-threshold 10
-{% endif %}{% endfor %}
 COMMIT
 
 *nat
@@ -30,8 +26,14 @@ COMMIT
 
 *mangle
 :PREROUTING ACCEPT [0:0]
+{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if salt['pillar.get']('interfaces:'+iface_name+':netflow') %}
+-A PREROUTING -i {{ iface_name }} -j NFLOG --nflog-group 2 --nflog-range 64 --nflog-threshold 10
+{% endif %}{% endfor %}
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
+{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if salt['pillar.get']('interfaces:'+iface_name+':netflow') %}
+-A POSTROUTING -o {{ iface_name }} -j NFLOG --nflog-group 2 --nflog-range 64 --nflog-threshold 10
+{% endif %}{% endfor %}
 COMMIT