diff --git a/tinc/tinc-up.tmpl b/tinc/tinc-up.tmpl
index 8e572d5..24e92d6 100644
--- a/tinc/tinc-up.tmpl
+++ b/tinc/tinc-up.tmpl
@@ -13,14 +13,18 @@ ifconfig ${internal_interface} ${internal_address6}/${internal_mask6:-128}
 iptables -t nat -I PREROUTING -d {{ . }} -i eth0 -j DNAT --to-destination ${tinc_peer_address}
 {{ end }}{{ end }}
 
-# Enable IPv4 kernel routing/forwarding for this network
-iptables -A FORWARD -o \$INTERFACE -d ${network_address}/${global_prefix:-16} -j ACCEPT
-{{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}iptables -A FORWARD -o eth0 -d {{.}} -j ACCEPT
-{{ end }}{{ end }}
+# Plugins may communicate over eth0, the 'internal' docker network.
+# Because of this, we should allow masquerading NAT through eth0
+iptables -t nat -A POSTROUTING -i eth0 -o \$INTERFACE -j MASQUERADE
 
 # Prevent spoofing attacks
 iptables -A FORWARD -i \$INTERFACE ! -s ${network_address}/${global_prefix:-16} -j DROP
 {{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}iptables -A FORWARD -i \$INTERFACE -s {{.}} -j DROP
 {{ end }}{{ end }}
 
+# Enable IPv4 kernel routing/forwarding for this network
+iptables -A FORWARD -o \$INTERFACE -d ${network_address}/${global_prefix:-16} -j ACCEPT
+{{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}iptables -A FORWARD -o eth0 -d {{.}} -j ACCEPT
+{{ end }}{{ end }}
+
 ifconfig \$INTERFACE ${tinc_peer_address} netmask ${netmask:-255.255.255.0}