diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix
index d4505ca..aedeefa 100644
--- a/hosts/hainich/configuration.nix
+++ b/hosts/hainich/configuration.nix
@@ -51,7 +51,7 @@
     interface = "enp6s0";
   };
 
-  networking.nat.enable = true;
+  hacc.nftables.nat.enable = true;
   networking.nat.internalInterfaces = ["ve-+"];
   networking.nat.externalInterface = "enp6s0";
 
diff --git a/modules/default.nix b/modules/default.nix
index b6bcd29..22801f9 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -4,5 +4,6 @@ let
 in {
   imports = [
     "${sources.immae-nix}/modules/webapps/peertube.nix"
+    ./nftnat
   ];
 }
diff --git a/modules/nftnat/default.nix b/modules/nftnat/default.nix
new file mode 100644
index 0000000..c489206
--- /dev/null
+++ b/modules/nftnat/default.nix
@@ -0,0 +1,62 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.hacc.nftables.nat;
+  nats = config.networking.nat;
+in {
+  options.hacc.nftables.nat = {
+    enable = mkEnableOption "Wrap NAT into nftables.";
+    forwardPorts = mkOption {
+      type = with types; listOf (submodule {
+        options = {
+          ports = mkOption {
+            type = types.listOf (types.either types.int (types.strMatching "[[:digit:]]+-[[:digit:]]+"));
+          };
+          destination = mkOption {
+            type = types.str;
+            example = "10.0.0.1";
+          };
+          proto = mkOption {
+            type = types.str;
+            default = "tcp";
+            example = "udp";
+          };
+        };
+      });
+      default = [];
+      example = [{ ports = [ 8080 "9100-9200" ]; destination = "192.168.100.2"; proto = "udp"; }];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.nat.enable = mkOverride 99 false;
+
+    boot = {
+      kernelModules = [ "nf_nat_ftp" ];
+      kernel.sysctl = {
+        "net.ipv4.conf.all.forwarding" = mkOverride 98 true;
+        "net.ipv4.conf.default.forwarding" = mkOverride 98 true;
+      };
+    };
+
+    petabyte.nftables = {
+      enable = true;
+
+      extraConfig = ''
+        table ip nat {
+          chain prerouting {
+            type nat hook prerouting priority -100
+            ${concatMapStringsSep "\n" (rule: "iif ${nats.externalInterface} ${rule.proto} dport { ${concatStringsSep ", " (map (x: toString x) rule.ports)} } dnat ${rule.destination}") cfg.forwardPorts}
+          }
+          chain postrouting {
+            type nat hook postrouting priority 100
+            ${concatMapStringsSep "\n" (iface: "iifname ${replaceStrings ["+"] ["*"] iface} oifname ${nats.externalInterface} masquerade") nats.internalInterfaces}
+            ${concatMapStringsSep "\n" (addr: "ip saddr ${addr} oifname ${nats.externalInterface} masquerade") nats.internalIPs}
+          }
+        }
+      '';
+    };
+  };
+}