diff --git a/tinc/tinc-up.tmpl b/tinc/tinc-up.tmpl
index 24e92d6..23697db 100644
--- a/tinc/tinc-up.tmpl
+++ b/tinc/tinc-up.tmpl
@@ -15,6 +15,7 @@ iptables -t nat -I PREROUTING -d {{ . }} -i eth0 -j DNAT --to-destination ${tinc
 
 # Plugins may communicate over eth0, the 'internal' docker network.
 # Because of this, we should allow masquerading NAT through eth0
+iptables -A FORWARD -i eth0 -o \$INTERFACE -j ACCEPT
 iptables -t nat -A POSTROUTING -i eth0 -o \$INTERFACE -j MASQUERADE
 
 # Prevent spoofing attacks