diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index 770ad96..72680fc 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -156,6 +156,9 @@
             # iifname "multimedia" ip saddr <chromecast IP> tcp dport { llmnr } counter accept
             # iifname "multimedia" ip saddr <chromecast IP> udp dport { mdns, llmnr } counter accept
 
+            # Accept web to git server
+            iifname "wan" oifname "server" tcp dst 10.42.97.50 dport { 22, 80, 443 } counter accept 
+
             # Allow returning traffic from wg_cloonar and drop everthing else
             iifname "wg_cloonar" ct state { established, related } counter accept
             iifname "wg_cloonar" drop
@@ -172,6 +175,7 @@
             iifname "wg_ghetto_at" ct state { established, related } counter accept
             iifname "wg_ghetto_at" drop
 
+            # Allow returning traffic from wan and drop everthing else
             iifname "wan" ct state { established, related } accept comment "Allow established traffic"
             iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
             iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"
@@ -213,12 +217,14 @@
         table ip nat {
           chain prerouting {
             type nat hook prerouting priority filter; policy accept;
+            iifname "wan" tcp dport { 22, 80, 443 } dnat to 10.42.97.50
           }
 
           # Setup NAT masquerading on external interfaces
           chain postrouting {
             type nat hook postrouting priority filter; policy accept;
             oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
+            ip daddr 10.42.97.50 masquerade
           }
         }
       '';