diff --git a/ansible/roles/pre-configure/templates/nftables.conf b/ansible/roles/pre-configure/templates/nftables.conf
index 1e8aee1b8e31d818b5ef64ec5b01b4362280b30a..852901bbf116de805b45b5a7df49a1fc5a9e2fb5 100644
--- a/ansible/roles/pre-configure/templates/nftables.conf
+++ b/ansible/roles/pre-configure/templates/nftables.conf
@@ -2,6 +2,16 @@
 
 flush ruleset
 
+table inet nat {
+  chain PREROUTING {
+    # set priority to dstnat - 1
+    type nat hook prerouting priority -101; policy accept;
+    # translate any ! 10.0.0.0/8 source address headed for nodeports to a dummy ip
+    ip saddr != {10.0.0.0/8} tcp dport { 30000-32767 } counter dnat to 172.16.16.16
+  }
+}
+
+
 table inet filter {
   chain INPUT {
     type filter hook input priority 0; policy drop;
@@ -33,7 +43,10 @@ table inet filter {
   }
 
   chain FORWARD {
-    type filter hook forward priority 0; policy accept;
+    # set priority to -1 to make sure we are processed before ip filter FORWARD
+    type filter hook forward priority -1; policy accept;
+    # drop all traffic destined for the dummy ip we set earlier in our inet nat PREROUTING
+    ip daddr 172.16.16.16 counter drop
   }
 
   chain OUTPUT {