diff --git a/modules/nixos/guests/torrent/default.nix b/modules/nixos/guests/torrent/default.nix
index 6be19be..b58f8c4 100755
--- a/modules/nixos/guests/torrent/default.nix
+++ b/modules/nixos/guests/torrent/default.nix
@@ -46,15 +46,19 @@ in
           ${pkgs.iptables}/bin/iptables -A INPUT -i lo -j ACCEPT
           ${pkgs.iptables}/bin/iptables -A OUTPUT -o lo -j ACCEPT
 
-          # Allow established/related connections
-          ${pkgs.iptables}/bin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+          # Allow established/related connections on VPN interface only
+          ${pkgs.iptables}/bin/iptables -A INPUT -i wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -A OUTPUT -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+          # Allow established/related connections on local network (for management)
+          ${pkgs.iptables}/bin/iptables -A INPUT -i enp0s5 -s ${localNet} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -d ${localNet} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
           # Allow SSH on all interfaces (for management)
           ${pkgs.iptables}/bin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
-          # Allow local network for management (WebUI, etc)
+          # Allow local network for management (WebUI, etc) - NEW connections
           ${pkgs.iptables}/bin/iptables -A INPUT -i enp0s5 -s ${localNet} -j ACCEPT
           ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -d ${localNet} -j ACCEPT
 
@@ -62,10 +66,17 @@ in
           ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -p udp --dport ${toString torrentPort} -d ${vpnEndpoint} -j ACCEPT
           ${pkgs.iptables}/bin/iptables -A INPUT -i enp0s5 -p udp --sport ${toString torrentPort} -s ${vpnEndpoint} -j ACCEPT
 
-          # Allow DNS for WireGuard resolution (if needed)
-          ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -p udp --dport 53 -d ${localNet} -j ACCEPT
+          # DNS: Only allow through VPN gateway (10.2.0.1) - no local DNS leaks
+          # This rule will only work once WireGuard is up
+          # If you need DNS before VPN for WireGuard hostname resolution, uncomment below:
+          # ${pkgs.iptables}/bin/iptables -A OUTPUT -o enp0s5 -p udp --dport 53 -d 192.168.50.1 -j ACCEPT
 
-          # Log dropped packets (optional, for debugging)
+          # Block IPv6 completely (defense in depth, even though we disabled it)
+          ${pkgs.iptables}/bin/ip6tables -P INPUT DROP 2>/dev/null || true
+          ${pkgs.iptables}/bin/ip6tables -P OUTPUT DROP 2>/dev/null || true
+          ${pkgs.iptables}/bin/ip6tables -P FORWARD DROP 2>/dev/null || true
+
+          # Log dropped packets (optional, for debugging - comment out in production)
           ${pkgs.iptables}/bin/iptables -A OUTPUT -j LOG --log-prefix "KILLSWITCH-OUT: " --log-level 4
           ${pkgs.iptables}/bin/iptables -A INPUT -j LOG --log-prefix "KILLSWITCH-IN: " --log-level 4
         '';