diff --git a/src/startup/preload.rs b/src/startup/preload.rs
index efeb7e7..39597a7 100644
--- a/src/startup/preload.rs
+++ b/src/startup/preload.rs
@@ -79,6 +79,13 @@ fn filter(interfaces: &Interfaces) -> String {
         );
     }
 
+    for iface in &interfaces.tunnel {
+        filter += &format!(
+            "-A INPUT -i {tunface} -j ACCEPT\n",
+            tunface = iface.interface,
+        );
+    }
+
     filter += &format!(
         "-A INPUT -s {universe} -d {universe} -j REJECT\n",
         universe = UNIVERSE
@@ -152,6 +159,13 @@ fn filter(interfaces: &Interfaces) -> String {
         );
     }
 
+    for iface in &interfaces.tunnel {
+        filter += &format!(
+            "-A OUTPUT -o {tunface} -j ACCEPT\n",
+            tunface = iface.interface,
+        );
+    }
+
     // Allow traffic out from external interface to anywhere
     filter += &format!(
         "-A OUTPUT -o {extif} -s {extip}/{extmask} -d {universe} -j ACCEPT\n",
@@ -186,10 +200,6 @@ fn filter(interfaces: &Interfaces) -> String {
 
     // Accept packets over tunnel interfaces
     for iface in &interfaces.tunnel {
-        filter += &format!(
-            "-A INPUT -o {tunface} -j ACCEPT\n",
-            tunface = iface.interface,
-        );
         filter += &format!(
             "-A FORWARD -i {tunface} -j ACCEPT\n",
             tunface = iface.interface,
@@ -198,10 +208,6 @@ fn filter(interfaces: &Interfaces) -> String {
             "-A FORWARD -o {tunface} -j ACCEPT\n",
             tunface = iface.interface,
         );
-        filter += &format!(
-            "-A OUTPUT -o {tunface} -j ACCEPT\n",
-            tunface = iface.interface,
-        );
     }
 
     // Accept TCP packets