diff --git a/nixcfgs/hosts/zephyrus/default.nix b/nixcfgs/hosts/zephyrus/default.nix
index de9ce2b..fc408f7 100644
--- a/nixcfgs/hosts/zephyrus/default.nix
+++ b/nixcfgs/hosts/zephyrus/default.nix
@@ -9,6 +9,7 @@
     # core config and packages
     ../../modules/nixos
     ../../modules/nixos/core/nix-ld.nix
+    ../../modules/nixos/core/nftables.nix
 
     # this is a laptop
     ../../modules/nixos/desktop
diff --git a/nixcfgs/modules/nixos/core/nftables.nix b/nixcfgs/modules/nixos/core/nftables.nix
new file mode 100644
index 0000000..4f804e6
--- /dev/null
+++ b/nixcfgs/modules/nixos/core/nftables.nix
@@ -0,0 +1,10 @@
+{pkgs, ...}: {
+  networking.nftables = {
+    enable = true;
+  };
+  networking.firewall.backend = "nftables";
+
+  environment.systemPackages = with pkgs; [
+    iptables-nftables-compat
+  ];
+}
diff --git a/nixcfgs/modules/nixos/programs/waydroid.nix b/nixcfgs/modules/nixos/programs/waydroid.nix
index 1f8c74a..2b405d5 100644
--- a/nixcfgs/modules/nixos/programs/waydroid.nix
+++ b/nixcfgs/modules/nixos/programs/waydroid.nix
@@ -13,6 +13,12 @@
     nur.repos.ataraxiasjel.waydroid-script
     waydroid-helper
   ];
+
+  networking = {
+    firewall.trustedInterfaces = ["waydroid0"];
+    nat.enable = true;
+  };
+
   systemd = {
     packages = [pkgs.waydroid-helper];
     services.waydroid-mount = {